Re: [PATCH] macvlan: Fix use after free of struct macvlan_port.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Miller <davem@davemloft.net>
To: ebiederm@xmission.com
Cc: netdev@vger.kernel.org, kaber@trash.net, greearb@candelatech.com,
	eric.dumazet@gmail.com
Subject: Re: [PATCH] macvlan: Fix use after free of struct macvlan_port.
Date: Mon, 21 Mar 2011 18:22:32 -0700 (PDT)	[thread overview]
Message-ID: <20110321.182232.200375244.davem@davemloft.net> (raw)
In-Reply-To: <m1aagojhu4.fsf@fess.ebiederm.org>

From: ebiederm@xmission.com (Eric W. Biederman)
Date: Mon, 21 Mar 2011 14:15:31 -0700

> 
> When the macvlan driver was extended to call unregisgter_netdevice_queue
> in 23289a37e2b127dfc4de1313fba15bb4c9f0cd5b, a use after free of struct
> macvlan_port was introduced.  The code in dellink relied on unregister_netdevice
> actually unregistering the net device so it would be safe to free macvlan_port.
> 
> Since unregister_netdevice_queue can just queue up the unregister instead of
> performing the unregiser immediately we free the macvlan_port too soon and
> then the code in macvlan_stop removes the macaddress for the set of macaddress
> to listen for and uses memory that has already been freed.
> 
> To fix this add a reference count to track when it is safe to free the macvlan_port
> and move the call of macvlan_port_destroy into macvlan_uninit which is guaranteed
> to be called after the final macvlan_port_close.
> 
> Signed-off-by: Eric W. Biederman <ebiederm@aristanetworks.com>

Applied, thanks Eric.

     prev parent reply	other threads:[~2011-03-22  1:21 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-21 21:15 [PATCH] macvlan: Fix use after free of struct macvlan_port Eric W. Biederman
2011-03-22  1:22 ` David Miller [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110321.182232.200375244.davem@davemloft.net \
    --to=davem@davemloft.net \
    --cc=ebiederm@xmission.com \
    --cc=eric.dumazet@gmail.com \
    --cc=greearb@candelatech.com \
    --cc=kaber@trash.net \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.