Commit acafac31 authored by Philippe Gerum's avatar Philippe Gerum Committed by Jan Kiszka

cobalt/sched: quota: fix use-after-free in quota_remove operation

KASAN detected this issue while removing a quota group, as a result of
accessing members from the xnsched_quota_group struct after the
container struct was freed.
Signed-off-by: Philippe Gerum's avatarPhilippe Gerum <rpm@xenomai.org>
Signed-off-by: Jan Kiszka's avatarJan Kiszka <jan.kiszka@siemens.com>
parent 5c4d87c7
......@@ -446,8 +446,12 @@ int set_quota_config(int cpu, union sched_config *config, size_t len)
}
list_del(&group->next);
xnlock_put_irqrestore(&nklock, s);
iq->tgid = tg->tgid;
iq->quota = tg->quota_percent;
iq->quota_peak = tg->quota_peak_percent;
iq->quota_sum = quota_sum;
xnfree(group);
break;
return 0;
case sched_quota_set:
xnlock_get_irqsave(&nklock, s);
sched = xnsched_struct(cpu);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment