Fix use-after-free in taskq_seq_show_impl

openzfs / spl

A shim layer which adds the core interfaces required for OpenZFS.

https://zfsonlinux.org/

GNU General Public License v2.0

282 stars 181 forks source link

Fix use-after-free in taskq_seq_show_impl #640

Closed tuxoko closed 6 years ago

tuxoko commented 6 years ago

taskq_seq_show_impl walks the tq_active_list to show the tqent_func and tqent_arg. However for taskq_dispatch_ent, it's very likely that the task entry will be freed during the function call, and causes a use-after-free bug.

To fix this, we duplicate the task entry to an on-stack struct, and assign it instead to tqt_task. This way, the tq_lock alone will guarantee its safety.

Signed-off-by: Chunwei Chen david.chen@osnexus.com

tuxoko commented 6 years ago

https://github.com/zfsonlinux/spl/issues/638

tuxoko commented 6 years ago

Update according to the review.