| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1452869736-20282-4-git-send-email-david.vrabel@citrix.com>
Date: Fri, 15 Jan 2016 14:55:36 +0000
From: David Vrabel <david.vrabel@...rix.com>
To: <netdev@...r.kernel.org>
CC: David Vrabel <david.vrabel@...rix.com>,
<xen-devel@...ts.xenproject.org>,
Ian Campbell <ian.campbell@...rix.com>,
Wei Liu <wei.liu2@...rix.com>
Subject: [PATCHv2 3/3] xen-netback: free queues after freeing the net device
If a queue still has a NAPI instance added to the net device, freeing
the queues early results in a use-after-free.
The shouldn't ever happen because we disconnect and tear down all queues
before freeing the net device, but doing this makes it obviously safe.
Signed-off-by: David Vrabel <david.vrabel@...rix.com>
---
drivers/net/xen-netback/interface.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c
index 3bba6ce..f5231a2 100644
--- a/drivers/net/xen-netback/interface.c
+++ b/drivers/net/xen-netback/interface.c
@@ -685,22 +685,16 @@ void xenvif_deinit_queue(struct xenvif_queue *queue)
void xenvif_free(struct xenvif *vif)
{
- struct xenvif_queue *queue = NULL;
+ struct xenvif_queue *queues = vif->queues;
unsigned int num_queues = vif->num_queues;
unsigned int queue_index;
unregister_netdev(vif->dev);
-
- for (queue_index = 0; queue_index < num_queues; ++queue_index) {
- queue = &vif->queues[queue_index];
- xenvif_deinit_queue(queue);
- }
-
- vfree(vif->queues);
- vif->queues = NULL;
- vif->num_queues = 0;
-
free_netdev(vif->dev);
+ for (queue_index = 0; queue_index < num_queues; ++queue_index)
+ xenvif_deinit_queue(&queues[queue_index]);
+ vfree(queues);
+
module_put(THIS_MODULE);
}
--
2.1.4
Powered by blists - more mailing lists