lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 15 Jul 2012 18:43:14 -0700
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	sjur.brandeland@...ricsson.com
Cc:	davem@...emloft.net, netdev@...r.kernel.org, sjurbren@...il.com,
	Dmitry Tarnyagin <dmitry.tarnyagin@...ricsson.com>
Subject: Re: [PATCH net] caif: Fix access to freed pernet memory

sjur.brandeland@...ricsson.com writes:

> From: Sjur Brændeland <sjur.brandeland@...ricsson.com>
>
> unregister_netdevice_notifier() must be called before
> unregister_pernet_subsys() to avoid accessing already freed
> pernet memory. This fixes the following oops when doing rmmod:

Acked-by: "Eric W. Biederman" <ebiederm@...ssion.com>

The patch looks good to me.

You might want to look at error handling during caif_device_init
as well, as it looks like the same ordering issue is present.
Although unlikely to bite anyone at that point.

Eric

>
> Call Trace:
>  [<ffffffffa0f802bd>] caif_device_notify+0x4d/0x5a0 [caif]
>  [<ffffffff81552ba9>] unregister_netdevice_notifier+0xb9/0x100
>  [<ffffffffa0f86dcc>] caif_device_exit+0x1c/0x250 [caif]
>  [<ffffffff810e7734>] sys_delete_module+0x1a4/0x300
>  [<ffffffff810da82d>] ? trace_hardirqs_on_caller+0x15d/0x1e0
>  [<ffffffff813517de>] ? trace_hardirqs_on_thunk+0x3a/0x3
>  [<ffffffff81696bad>] system_call_fastpath+0x1a/0x1f
>
> RIP
>  [<ffffffffa0f7f561>] caif_get+0x51/0xb0 [caif]
>
> Signed-off-by: Sjur Brændeland <sjur.brandeland@...ricsson.com>
> ---
>
> Hi Dave,
>
> Can you please queue up this bugfix as appropriate for -net and -stable?
>
> I guess this bug has been around since introduction of network
> name spaces in CAIF, but it became visible after 3.4 and the commit:
> "net: In unregister_netdevice_notifier unregister the netdevices." 
>
> Thanks,
> Sjur
>
>  net/caif/caif_dev.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
> index 554b312..8c83c17 100644
> --- a/net/caif/caif_dev.c
> +++ b/net/caif/caif_dev.c
> @@ -561,9 +561,9 @@ static int __init caif_device_init(void)
>  
>  static void __exit caif_device_exit(void)
>  {
> -	unregister_pernet_subsys(&caif_net_ops);
>  	unregister_netdevice_notifier(&caif_device_notifier);
>  	dev_remove_pack(&caif_packet_type);
> +	unregister_pernet_subsys(&caif_net_ops);
>  }
>  
>  module_init(caif_device_init);
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ