[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20151218220204.6faf8e93@lxorguk.ukuu.org.uk>
Date: Fri, 18 Dec 2015 22:02:04 +0000
From: One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>
To: David Miller <davem@...emloft.net>
Cc: dvyukov@...gle.com, ajk@...nets.uni-bremen.de,
linux-hams@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, gregkh@...uxfoundation.org,
jslaby@...e.com, syzkaller@...glegroups.com, kcc@...gle.com,
glider@...gle.com, sasha.levin@...cle.com, edumazet@...gle.com
Subject: Re: use-after-free in sixpack_close
> > Also you are at the point the tty is closing so the net device may be
> > active. Don't you need to netif_stop_queue() or defer the buffer
> > kfrees until after the network device is unregistered so you don't pee
> > into free memory if you have a transmit occurring ?
>
> I'm pretty sure that's what the semaphore down above this sequence is
> accomplishing. But if we do need the netif_stop_queue() let's do that
> as a separate patch.
Follow the code path for sp_xmit(). If sp_xmit is called it digs out sp
from the ndetdev, locks sp->lock and stops the queue then calls sp_encaps
which touches sp->xbuff.
So if one thread of execution hits sp_xmit and another closes the ldisc
at just the wrong moment then we have no protection.
Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists