lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <87zk70tr9p.fsf@xmission.com> Date: Sun, 15 Jul 2012 18:43:14 -0700 From: ebiederm@...ssion.com (Eric W. Biederman) To: sjur.brandeland@...ricsson.com Cc: davem@...emloft.net, netdev@...r.kernel.org, sjurbren@...il.com, Dmitry Tarnyagin <dmitry.tarnyagin@...ricsson.com> Subject: Re: [PATCH net] caif: Fix access to freed pernet memory sjur.brandeland@...ricsson.com writes: > From: Sjur Brændeland <sjur.brandeland@...ricsson.com> > > unregister_netdevice_notifier() must be called before > unregister_pernet_subsys() to avoid accessing already freed > pernet memory. This fixes the following oops when doing rmmod: Acked-by: "Eric W. Biederman" <ebiederm@...ssion.com> The patch looks good to me. You might want to look at error handling during caif_device_init as well, as it looks like the same ordering issue is present. Although unlikely to bite anyone at that point. Eric > > Call Trace: > [<ffffffffa0f802bd>] caif_device_notify+0x4d/0x5a0 [caif] > [<ffffffff81552ba9>] unregister_netdevice_notifier+0xb9/0x100 > [<ffffffffa0f86dcc>] caif_device_exit+0x1c/0x250 [caif] > [<ffffffff810e7734>] sys_delete_module+0x1a4/0x300 > [<ffffffff810da82d>] ? trace_hardirqs_on_caller+0x15d/0x1e0 > [<ffffffff813517de>] ? trace_hardirqs_on_thunk+0x3a/0x3 > [<ffffffff81696bad>] system_call_fastpath+0x1a/0x1f > > RIP > [<ffffffffa0f7f561>] caif_get+0x51/0xb0 [caif] > > Signed-off-by: Sjur Brændeland <sjur.brandeland@...ricsson.com> > --- > > Hi Dave, > > Can you please queue up this bugfix as appropriate for -net and -stable? > > I guess this bug has been around since introduction of network > name spaces in CAIF, but it became visible after 3.4 and the commit: > "net: In unregister_netdevice_notifier unregister the netdevices." > > Thanks, > Sjur > > net/caif/caif_dev.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c > index 554b312..8c83c17 100644 > --- a/net/caif/caif_dev.c > +++ b/net/caif/caif_dev.c > @@ -561,9 +561,9 @@ static int __init caif_device_init(void) > > static void __exit caif_device_exit(void) > { > - unregister_pernet_subsys(&caif_net_ops); > unregister_netdevice_notifier(&caif_device_notifier); > dev_remove_pack(&caif_packet_type); > + unregister_pernet_subsys(&caif_net_ops); > } > > module_init(caif_device_init); -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists