neigh: fix use-after-free read in pneigh_get_next

[android-x86/kernel.git] / net / core / neighbour.c

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 428dd61..01cdfe8 100644 (file)
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2704,6 +2704,7 @@ static void *neigh_get_idx_any(struct seq_file *seq, loff_t *pos)
 }
 
 void *neigh_seq_start(struct seq_file *seq, loff_t *pos, struct neigh_table *tbl, unsigned int neigh_seq_flags)
+       __acquires(tbl->lock)
        __acquires(rcu_bh)
 {
        struct neigh_seq_state *state = seq->private;
@@ -2714,6 +2715,7 @@ void *neigh_seq_start(struct seq_file *seq, loff_t *pos, struct neigh_table *tbl
 
        rcu_read_lock_bh();
        state->nht = rcu_dereference_bh(tbl->nht);
+       read_lock(&tbl->lock);
 
        return *pos ? neigh_get_idx_any(seq, pos) : SEQ_START_TOKEN;
 }
@@ -2747,8 +2749,13 @@ out:
 EXPORT_SYMBOL(neigh_seq_next);
 
 void neigh_seq_stop(struct seq_file *seq, void *v)
+       __releases(tbl->lock)
        __releases(rcu_bh)
 {
+       struct neigh_seq_state *state = seq->private;
+       struct neigh_table *tbl = state->tbl;
+
+       read_unlock(&tbl->lock);
        rcu_read_unlock_bh();
 }
 EXPORT_SYMBOL(neigh_seq_stop);