| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220127181930.355c8c82@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Date: Thu, 27 Jan 2022 18:19:30 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Jann Horn <jannh@...gle.com>
Cc: "David S. Miller" <davem@...emloft.net>,
Network Development <netdev@...r.kernel.org>,
Oliver Neukum <oneukum@...e.com>,
kernel list <linux-kernel@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>,
Jacky Chou <jackychou@...x.com.tw>, Willy Tarreau <w@....eu>
Subject: Re: [BUG] net_device UAF: linkwatch_fire_event() calls dev_hold()
after netdev_wait_allrefs() is done
Interesting..
I don't know what link_reset does, but since it turns the carrier on it
seems like something that should be flushed/canceled when the device
goes down. unregister brings the device down under rtnl_lock.
On Fri, 28 Jan 2022 02:51:24 +0100 Jann Horn wrote:
> Is the bug that usbnet_disconnect() should be stopping &dev->kevent
> before calling unregister_netdev()?
I'd say not this one, I think the generally agreed on semantics are that
the netdev is under users control between register and unregister, we
should not cripple it before unregister.
> Or is the bug that ax88179_link_reset() doesn't take some kind of lock
> and re-check that the netdev is still alive?
That'd not be an uncommon way to fix this.. taking rtnl_lock, not even
a driver lock in similar.
> Or should netif_carrier_on() be doing that?
> Or is it the responsibility of the linkwatch code to check whether the
> netdev is already going away?
Possibly, although we don't do much in the way of defensive programming
in networking.
Powered by blists - more mailing lists