Re: [PATCH v1] hamradio: remove needs_free_netdev to avoid UAF

From: Jakub Kicinski
Date: Thu Nov 11 2021 - 20:55:04 EST

Next message: kernel test robot: "[hare-scsi-devel:scsi-private.v2 10/21] include/linux/compiler_types.h:140:41: error: 'struct CommandList' has no member named 'refcount'"
Previous message: Jakub Kicinski: "Re: [PATCH net-next 0/2] net: snmp: tracepoint support for snmp"
In reply to: Lin Ma: "[PATCH v1] hamradio: remove needs_free_netdev to avoid UAF"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH v1] hamradio: remove needs_free_netdev to avoid UAF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 11 Nov 2021 22:14:02 +0800 Lin Ma wrote:
> The former patch "defer 6pack kfree after unregister_netdev" reorders
> the kfree of two buffer after the unregister_netdev to prevent the race
> condition. It also adds free_netdev() function in sixpack_close(), which
> is a direct copy from the similar code in mkiss_close().
>
> However, in sixpack driver, the flag needs_free_netdev is set to true in
> sp_setup(), hence the unregister_netdev() will free the netdev
> automatically. Therefore, as the sp is netdev_priv, use-after-free
> occurs.
>
> This patch removes the needs_free_netdev = true and just let the
> free_netdev to finish this deallocation task.
>
> Signed-off-by: Lin Ma <linma@xxxxxxxxxx>

Fixes: 0b9111922b1f ("hamradio: defer 6pack kfree after unregister_netdev")

Next message: kernel test robot: "[hare-scsi-devel:scsi-private.v2 10/21] include/linux/compiler_types.h:140:41: error: 'struct CommandList' has no member named 'refcount'"
Previous message: Jakub Kicinski: "Re: [PATCH net-next 0/2] net: snmp: tracepoint support for snmp"
In reply to: Lin Ma: "[PATCH v1] hamradio: remove needs_free_netdev to avoid UAF"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH v1] hamradio: remove needs_free_netdev to avoid UAF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]