From 1605b8471d64c855bc2493abf3adf6a1ebc3e645 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Wed, 9 May 2007 13:04:39 +1000 Subject: [PATCH] [CRYPTO] cryptomgr: Fix use after free By the time kthread_run returns the param may have already been freed so writing the returned thread_struct pointer to param is wrong. In fact, we don't need it in param anyway so this patch simply puts it on the stack. Signed-off-by: Herbert Xu --- crypto/cryptomgr.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/crypto/cryptomgr.c b/crypto/cryptomgr.c index 6958ea83ee44..e5fb7cca5107 100644 --- a/crypto/cryptomgr.c +++ b/crypto/cryptomgr.c @@ -24,8 +24,6 @@ #include "internal.h" struct cryptomgr_param { - struct task_struct *thread; - struct rtattr *tb[CRYPTOA_MAX]; struct { @@ -81,6 +79,7 @@ err: static int cryptomgr_schedule_probe(struct crypto_larval *larval) { + struct task_struct *thread; struct cryptomgr_param *param; const char *name = larval->alg.cra_name; const char *p; @@ -130,8 +129,8 @@ static int cryptomgr_schedule_probe(struct crypto_larval *larval) memcpy(param->larval.name, larval->alg.cra_name, CRYPTO_MAX_ALG_NAME); - param->thread = kthread_run(cryptomgr_probe, param, "cryptomgr"); - if (IS_ERR(param->thread)) + thread = kthread_run(cryptomgr_probe, param, "cryptomgr"); + if (IS_ERR(thread)) goto err_free_param; return NOTIFY_STOP;