Re: [regression] nf_iterate(), BUG: unable to handle kernel NULLpointer dereference
From: Dieter Ries
Date: Fri Jul 25 2008 - 04:02:30 EST
Pekka Enberg schrieb:
On Thu, 2008-07-24 at 11:51 -0700, Andrew Morton wrote:
On Thu, 24 Jul 2008 16:34:36 +0300 Pekka Enberg <penberg@xxxxxxxxxxxxxx> wrote:
Your patch introduced a use-after-free and double-free.
krealloc() frees the old pointer, but it is still used
for the ->move operations, then freed again.
To fix this I think we need a __krealloc() that doesn't
free the old memory, especially since it must not be
freed immediately because it may still be used in a RCU
read side (see the last part in the patch attached to
this mail (based on a kernel without your patch)).
Agreed. Something like this, perhaps?
[PATCH] netfilter: fix double-free and use-after free
As suggested by Patrick McHardy, introduce a __krealloc() that doesn't
free the original buffer to fix a double-free and use-after-free bug
introduced by me in netfilter that uses RCU.
Reported-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: Pekka Enberg <penberg@xxxxxxxxxxxxxx>
Looks good to me, thanks.
Ingo, can you please test this? Andrew, I'm at OLS so can you pick up
the patch in your tree?
Sure. Or Patrick can do so and it can be merged via the net tree.
Ingo, did this patch actually fix something over there?
Apparently it didn't but it did fix Dieter's problem:
http://lkml.org/lkml/2008/7/24/337
Dieter, can we add a Tested-by tag from you to this patch?
Yes, it definitely fixed my issue and I have not encountered
further problems with the patch. The machine
is running fine with it.
Do I have to explicitly add my
Tested-by: Dieter Ries <clip2@xxxxxx>
tag somewhere (if yes, where?) or is this enough for you?
cu
Dieter
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/