| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20080110.035032.244503144.davem@davemloft.net> Date: Thu, 10 Jan 2008 03:50:32 -0800 (PST) From: David Miller <davem@...emloft.net> To: xemul@...nvz.org Cc: netdev@...r.kernel.org, devel@...nvz.org Subject: Re: [PATCH][NEIGH] Fix race between neigh_parms_release and neightbl_fill_parms From: Pavel Emelyanov <xemul@...nvz.org> Date: Thu, 10 Jan 2008 13:56:53 +0300 > The neightbl_fill_parms() is called under the write-locked > tbl->lock and accesses the parms->dev. The negh_parm_release() > calls the dev_put(parms->dev) without this lock. This > creates a tiny race window on which the parms contains > potentially stale dev pointer. > > To fix this race it's enough to move the dev_put() upper > under the tbl->lock, but note, that the parms are held by > neighbors and thus can live after the neigh_parms_release() > is called, so we still can have a parm with bad dev pointer. > > I didn't find where the neigh->parms->dev is accessed, but > still think that putting the dev is to be done in a place, > where the parms are really freed. Am I right with that? > > Signed-off-by: Pavel Emelyanov <xemul@...nvz.org> It is accessed in lookup_neigh_parms(), neightbl_fill_parms(), and neightbl_fill_info() (hmmm, that BUG_ON(tbl->parms.dev) is cute). You fix looks correct, patch applied, thanks! -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists