lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Mar 2012 19:33:36 -0400 (EDT) From: David Miller <davem@...emloft.net> To: gregkh@...uxfoundation.org Cc: tom.leiming@...il.com, netdev@...r.kernel.org, linux-usb@...r.kernel.org, stable@...nel.org, bigeasy@...utronix.de, stern@...land.harvard.edu, oliver@...kum.org Subject: Re: [PATCH 1/2] usbnet: increase URB reference count before usb_unlink_urb From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Date: Thu, 22 Mar 2012 07:35:53 -0700 > On Thu, Mar 22, 2012 at 09:22:18PM +0800, Ming Lei wrote: >> Commit 4231d47e6fe69f061f96c98c30eaf9fb4c14b96d(net/usbnet: avoid >> recursive locking in usbnet_stop()) fixes the recursive locking >> problem by releasing the skb queue lock, but it makes usb_unlink_urb >> racing with defer_bh, and the URB to being unlinked may be freed before >> or during calling usb_unlink_urb, so use-after-free problem may be >> triggerd inside usb_unlink_urb. >> >> The patch fixes the use-after-free problem by increasing URB >> reference count with skb queue lock held before calling >> usb_unlink_urb, so the URB won't be freed until return from >> usb_unlink_urb. >> >> Cc: stable@...nel.org >> Cc: Sebastian Andrzej Siewior <bigeasy@...utronix.de> >> Cc: Alan Stern <stern@...land.harvard.edu> >> Cc: Oliver Neukum <oliver@...kum.org> >> Reported-by: Dave Jones <davej@...hat.com> >> Signed-off-by: Ming Lei <tom.leiming@...il.com> > > Acked-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists