summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWANG Cong <xiyou.wangcong@gmail.com>2016-01-29 11:58:03 -0800
committerDavid S. Miller <davem@davemloft.net>2016-01-29 22:56:46 -0800
commit3d45296ab96c2ec8308226b3350a6d9e48379870 (patch)
tree1842eaaeb44e9d2ac1d485833d0d7e3029e3a51a
parentae9d723e9fbe9fb28213b7df26475791428bf76a (diff)
irda: fix a potential use-after-free in ircomm_param_request
self->ctrl_skb is protected by self->spinlock, we should not access it out of the lock. Move the debugging printk inside. Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/irda/ircomm/ircomm_param.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/net/irda/ircomm/ircomm_param.c b/net/irda/ircomm/ircomm_param.c
index 3c4caa60c926..5728e76ca6d5 100644
--- a/net/irda/ircomm/ircomm_param.c
+++ b/net/irda/ircomm/ircomm_param.c
@@ -134,11 +134,10 @@ int ircomm_param_request(struct ircomm_tty_cb *self, __u8 pi, int flush)
return -1;
}
skb_put(skb, count);
+ pr_debug("%s(), skb->len=%d\n", __func__, skb->len);
spin_unlock_irqrestore(&self->spinlock, flags);
- pr_debug("%s(), skb->len=%d\n", __func__ , skb->len);
-
if (flush) {
/* ircomm_tty_do_softint will take care of the rest */
schedule_work(&self->tqueue);