> > Also you are at the point the tty is closing so the net device may be
> > active. Don't you need to netif_stop_queue() or defer the buffer
> > kfrees until after the network device is unregistered so you don't pee
> > into free memory if you have a transmit occurring ?
>
> I'm pretty sure that
twork device is unregistered so you don't pee
> into free memory if you have a transmit occurring ?
I'm pretty sure that's what the semaphore down above this sequence is
accomplishing. But if we do need the netif_stop_queue() let's do that
as a separate patch.
Here
From: Ralf Baechle
Date: Thu, 17 Dec 2015 22:35:31 +0100
> On Thu, Dec 17, 2015 at 04:05:49PM -0500, David Miller wrote:
>
>> Subject: [PATCH 2/2] mkiss: Fix use after free in sixpack_close().
>
> Make that subject "... mkiss_close()."
Durrr... indeed. Thanks for
On Thu, 17 Dec 2015 16:05:32 -0500 (EST)
David Miller wrote:
> From: One Thousand Gnomes
> Date: Thu, 17 Dec 2015 11:41:04 +
>
> >> This report is then followed by a dozen of other use-after-free reports.
> >>
> >> On commit edb42dc7bc0da0125ceacab810a553ce1f0cac8d (Dec 15).
> >>
> >> Tha
On Thu, Dec 17, 2015 at 04:05:32PM -0500, David Miller wrote:
> This should fix it, the only thing I'm unsure of is if we should perhaps
> also use del_timer_sync() here. Anyone?
I think so.
Ralf
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
On Thu, Dec 17, 2015 at 04:05:49PM -0500, David Miller wrote:
> Subject: [PATCH 2/2] mkiss: Fix use after free in sixpack_close().
Make that subject "... mkiss_close()."
Ralf
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body
Need to do the unregister_device() after all references to the driver
private have been done.
Signed-off-by: David S. Miller
---
drivers/net/hamradio/mkiss.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c
index
one?
====
[PATCH 1/2] 6pack: Fix use after free in sixpack_close().
Need to do the unregister_device() after all references to the driver
private have been done.
Signed-off-by: David S. Miller
---
drivers/net/hamradio/6pack.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(
> This report is then followed by a dozen of other use-after-free reports.
>
> On commit edb42dc7bc0da0125ceacab810a553ce1f0cac8d (Dec 15).
>
> Thank you
sixpack_close does unregister_netdev(sp->dev), which frees sp as sp is
actually allocated via alloc_netdev()
Then deletes two timers within s
Hello,
The following program triggers use-after-free in sixpack_close:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include
#include
#include
#include
#include
#include
#include
int main()
{
int fd = open("/dev/ptmx", O_RDWR);
int
10 matches
Mail list logo
