Re: PATCH? net/bridge/br_if.c: fix use after free in port_carrier_check()

From: Oleg Nesterov
Date: Tue Feb 20 2007 - 09:34:35 EST


On 02/20, David Howells wrote:
>
> Oleg Nesterov <oleg@xxxxxxxxxx> wrote:
>
> > static void release_nbp(struct kobject *kobj)
> > {
> > struct net_bridge_port *p
> > = container_of(kobj, struct net_bridge_port, kobj);
> > +
> > + dev_put(p->dev);
>
> Does this need to be done with the mutex held?

I think no. At least the current code does dev_put() without mutex held.

> And does anything actually pay
> attention to the refcount on dev? I assume not...

I guess net/core/dev.c:netdev_wait_allrefs(), but not sure.

> Should you clear p->dev->br_port before calling dev_put()?

Looks like it is protected by RCU... Anyway the current code does the same.

> Looks reasonable. I like it.
>
> Acked-By: David Howells <dhowells@xxxxxxxxxx>

Thanks! I'll re-send with a proper changelog later today.

Oleg.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/