From: Stephane Grosjean <s.grosjean@peak-system.com>
To: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: "Christopher R. Baker" <cbaker@rec.ri.cmu.edu>,
linux-can@vger.kernel.org
Subject: Re: [PATCH] peak_pci: fix use after free in netdev teardown
Date: Mon, 19 May 2014 09:16:05 +0200 [thread overview]
Message-ID: <5379AFB5.4000202@peak-system.com> (raw)
In-Reply-To: <5379AE8C.9050406@pengutronix.de>
Hi Marc,
Certainly I'd like... but didn't get that patch at all ! :-) Could you
please forward it to me ?
Thanks and regards,
Stéphane
Le 19/05/2014 09:11, Marc Kleine-Budde a écrit :
> On 04/09/2014 09:45 PM, Christopher R. Baker wrote:
>> Hi All,
>>
>> In the course of tracking down (and eventually backporting) a fix to one
>> of my systems that is still running a 3.2 kernel, I noticed what I
>> believe to be a pair of use-after-free bugs in peak_pci.c pertaining to
>> the linked list of netdevs that is maintained for multi-port cards.
>> These bugs persist in 3.14, so I thought I should send along a patch for
>> review.
>>
>> Basically, the "prev_dev" pointer that is used for this list lives in
>> memory that is allocated by alloc_sja1000dev(), but it is referenced
>> after the call to free_sja1000dev() when walking the list during
>> teardown, both in the failure case of peak_pci_probe and in
>> peak_pci_remove. Unless I'm missing something, these are toes waiting
>> to be stubbed...
>>
>> Caveats:
>> - This is a growing blob of copy-pasta that should probably be
>> refactored to a common location. For example, peak_pci_remove could be
>> restructured to incrementally check and free allocated resources,
>> allowing the "failure_remove_channels" label to delegate the cleanup to
>> peak_pci_remove. I didn't want to bite off too much this time, though,
>> so I left that alone.
>> - I don't have an expresscard adapter to check the placement of the
>> pciec_remove stanzas. By inspection, unregister_sja1000dev does not
>> appear to have a path back to the pciec stuff, but I may have missed
>> something.
>>
>> -ChrisR
>>
>> Signed-of-by: Christopher R. Baker <cbaker@rec.ri.cmu.edu>
> Stephane, can you please have a look at the patch.
>
> Marc
>
--
PEAK-System Technik GmbH, Otto-Roehm-Strasse 69, D-64293 Darmstadt
Geschaeftsleitung: A.Gach/U.Wilhelm,St.Nr.:007/241/13586 FA Darmstadt
HRB-9183 Darmstadt, Ust.IdNr.:DE 202220078, WEE-Reg.-Nr.: DE39305391
Tel.+49 (0)6151-817320 / Fax:+49 (0)6151-817329, info@peak-system.com
--
next prev parent reply other threads:[~2014-05-19 7:22 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-09 19:45 [PATCH] peak_pci: fix use after free in netdev teardown Christopher R. Baker
2014-05-19 7:11 ` Marc Kleine-Budde
2014-05-19 7:16 ` Stephane Grosjean [this message]
2014-05-19 7:18 ` Marc Kleine-Budde
2014-05-19 9:14 ` Stephane Grosjean
2014-05-19 9:20 ` Marc Kleine-Budde
2014-05-19 12:06 ` Stephane Grosjean
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5379AFB5.4000202@peak-system.com \
--to=s.grosjean@peak-system.com \
--cc=cbaker@rec.ri.cmu.edu \
--cc=linux-can@vger.kernel.org \
--cc=mkl@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.