From: Marc Kleine-Budde <mkl@pengutronix.de>
To: "Christopher R. Baker" <cbaker@rec.ri.cmu.edu>,
Stephane Grosjean <s.grosjean@peak-system.com>
Cc: linux-can@vger.kernel.org
Subject: Re: [PATCH] peak_pci: fix use after free in netdev teardown
Date: Mon, 19 May 2014 09:11:08 +0200 [thread overview]
Message-ID: <5379AE8C.9050406@pengutronix.de> (raw)
In-Reply-To: <1397072720.22713.19.camel@acrs-z800-1>
[-- Attachment #1: Type: text/plain, Size: 1873 bytes --]
On 04/09/2014 09:45 PM, Christopher R. Baker wrote:
> Hi All,
>
> In the course of tracking down (and eventually backporting) a fix to one
> of my systems that is still running a 3.2 kernel, I noticed what I
> believe to be a pair of use-after-free bugs in peak_pci.c pertaining to
> the linked list of netdevs that is maintained for multi-port cards.
> These bugs persist in 3.14, so I thought I should send along a patch for
> review.
>
> Basically, the "prev_dev" pointer that is used for this list lives in
> memory that is allocated by alloc_sja1000dev(), but it is referenced
> after the call to free_sja1000dev() when walking the list during
> teardown, both in the failure case of peak_pci_probe and in
> peak_pci_remove. Unless I'm missing something, these are toes waiting
> to be stubbed...
>
> Caveats:
> - This is a growing blob of copy-pasta that should probably be
> refactored to a common location. For example, peak_pci_remove could be
> restructured to incrementally check and free allocated resources,
> allowing the "failure_remove_channels" label to delegate the cleanup to
> peak_pci_remove. I didn't want to bite off too much this time, though,
> so I left that alone.
> - I don't have an expresscard adapter to check the placement of the
> pciec_remove stanzas. By inspection, unregister_sja1000dev does not
> appear to have a path back to the pciec stuff, but I may have missed
> something.
>
> -ChrisR
>
> Signed-of-by: Christopher R. Baker <cbaker@rec.ri.cmu.edu>
Stephane, can you please have a look at the patch.
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Industrial Linux Solutions | Phone: +49-231-2826-924 |
Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 242 bytes --]
next prev parent reply other threads:[~2014-05-19 7:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-09 19:45 [PATCH] peak_pci: fix use after free in netdev teardown Christopher R. Baker
2014-05-19 7:11 ` Marc Kleine-Budde [this message]
2014-05-19 7:16 ` Stephane Grosjean
2014-05-19 7:18 ` Marc Kleine-Budde
2014-05-19 9:14 ` Stephane Grosjean
2014-05-19 9:20 ` Marc Kleine-Budde
2014-05-19 12:06 ` Stephane Grosjean
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5379AE8C.9050406@pengutronix.de \
--to=mkl@pengutronix.de \
--cc=cbaker@rec.ri.cmu.edu \
--cc=linux-can@vger.kernel.org \
--cc=s.grosjean@peak-system.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.