From: One Thousand Gnomes <gno...@lxorguk.ukuu.org.uk>
Date: Thu, 17 Dec 2015 23:47:39 +0000
> On Thu, 17 Dec 2015 16:05:32 -0500 (EST)
> David Miller <da...@davemloft.net> wrote:
>
>> From: One Thousand Gnomes <gno...@lxorguk.ukuu.org.uk>
>> Date: Thu, 17 Dec 2015 11:41:04 +0000
>>
>> >> This report is then followed by a dozen of other use-after-free reports.
>> >>
>> >> On commit edb42dc7bc0da0125ceacab810a553ce1f0cac8d (Dec 15).
>> >>
>> >> Thank you
>> >
>> > sixpack_close does unregister_netdev(sp->dev), which frees sp as sp is
>> > actually allocated via alloc_netdev()
>> >
>> > Then deletes two timers within sp
>> >
>> > Then frees two buffers indexed off sp
>>
>> This should fix it, the only thing I'm unsure of is if we should perhaps
>> also use del_timer_sync() here. Anyone?
>
> I think you need to yes as the timers use the data you wil be freeing in
> the unregister.
Ok.
> Also you are at the point the tty is closing so the net device may be
> active. Don't you need to netif_stop_queue() or defer the buffer
> kfrees until after the network device is unregistered so you don't pee
> into free memory if you have a transmit occurring ?
I'm pretty sure that's what the semaphore down above this sequence is
accomplishing. But if we do need the netif_stop_queue() let's do that
as a separate patch.
Here is the patch I am checking in:
====================
[PATCH] 6pack: Fix use after free in sixpack_close().
Need to do the unregister_device() after all references to the driver
private have been done.
Also we need to use del_timer_sync() for the timers so that we don't
have any asynchronous references after the unregister.
Signed-off-by: David S. Miller <da...@davemloft.net>
---
drivers/net/hamradio/6pack.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index 7c4a415..9f0b1c3 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -683,14 +683,14 @@ static void sixpack_close(struct tty_struct *tty)
if (!atomic_dec_and_test(&sp->refcnt))
down(&sp->dead_sem);
- unregister_netdev(sp->dev);
-
- del_timer(&sp->tx_t);
- del_timer(&sp->resync_t);
+ del_timer_sync(&sp->tx_t);
+ del_timer_sync(&sp->resync_t);
/* Free all 6pack frame buffers. */
kfree(sp->rbuff);
kfree(sp->xbuff);
+
+ unregister_netdev(sp->dev);
}
/* Perform I/O control on an active 6pack channel. */
--
2.4.1
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
