From mboxrd@z Thu Jan  1 00:00:00 1970
Subject: Re: 2.5.69-mm9
References: <20030525042759.6edacd62.akpm@digeo.com>
	<1053899811.750.1.camel@teapot.felipe-alfaro.com>
	<20030525154840.3ba7609b.akpm@digeo.com>
From: Trond Myklebust <trond.myklebust@fys.uio.no>
Date: 26 May 2003 01:19:54 +0200
In-Reply-To: <20030525154840.3ba7609b.akpm@digeo.com>
Message-ID: <shsk7ceaa1x.fsf@charged.uio.no>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-linux-mm@kvack.org
Return-Path: <owner-linux-mm@kvack.org>
To: Andrew Morton <akpm@digeo.com>
Cc: Felipe Alfaro Solana <felipe_alfaro@linuxmail.org>, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Trond Myklebust <trond.myklebust@fys.uio.no>, Neil Brown <neilb@cse.unsw.edu.au>
List-ID: <linux-mm.kvack.org>

>>>>> " " == Andrew Morton <akpm@digeo.com> writes:

     > I would be inclined to say that this is a hitherto undiscovered
     > use-after-free bug.

Does the following fix it?

Cheers,
  Trond


--- linux-2.5.69/net/sunrpc/svcsock.c.orig	2003-05-20 08:34:35.000000000 +0200
+++ linux-2.5.69/net/sunrpc/svcsock.c	2003-05-26 01:16:33.000000000 +0200
@@ -600,6 +600,7 @@
 			return 0;
 		}
 		local_bh_enable();
+		svsk->sk_sk->stamp = skb->stamp;
 		skb_free_datagram(svsk->sk_sk, skb); 
 	} else {
 		/* we can use it in-place */
@@ -614,6 +615,7 @@
 			skb->ip_summed = CHECKSUM_UNNECESSARY;
 		}
 		rqstp->rq_skbuff = skb;
+		svsk->sk_sk->stamp = skb->stamp;
 	}
 
 	rqstp->rq_arg.page_base = 0;
@@ -629,7 +631,6 @@
 		serv->sv_stats->netudpcnt++;
 
 	/* One down, maybe more to go... */
-	svsk->sk_sk->stamp = skb->stamp;
 	svc_sock_received(svsk);
 
 	return len;
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"aart@kvack.org"> aart@kvack.org </a>