Re: use-after-free in sixpack_close

From: One Thousand Gnomes
Date: Fri Dec 18 2015 - 17:03:21 EST

Next message: Matthew R. Ochs: "[PATCH RESEND] checkpatch: Fix NOT_UNIFIED_DIFF error exception"
Previous message: Alexey Khoroshilov: "[PATCH] natsemi: add checks for dma mapping errors"
In reply to: David Miller: "Re: use-after-free in sixpack_close"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > Also you are at the point the tty is closing so the net device may be
> > active. Don't you need to netif_stop_queue() or defer the buffer
> > kfrees until after the network device is unregistered so you don't pee
> > into free memory if you have a transmit occurring ?
>
> I'm pretty sure that's what the semaphore down above this sequence is
> accomplishing. But if we do need the netif_stop_queue() let's do that
> as a separate patch.

Follow the code path for sp_xmit(). If sp_xmit is called it digs out sp
from the ndetdev, locks sp->lock and stops the queue then calls sp_encaps
which touches sp->xbuff.

So if one thread of execution hits sp_xmit and another closes the ldisc
at just the wrong moment then we have no protection.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Matthew R. Ochs: "[PATCH RESEND] checkpatch: Fix NOT_UNIFIED_DIFF error exception"
Previous message: Alexey Khoroshilov: "[PATCH] natsemi: add checks for dma mapping errors"
In reply to: David Miller: "Re: use-after-free in sixpack_close"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]