Re: [PATCH net v2] net: atm: Fix use-after-free bug in atm_dev_register()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Leon Romanovsky <leon@kernel.org>
To: Jakub Kicinski <kuba@kernel.org>
Cc: Nir Levy <bhr166@gmail.com>,
	davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
	linux-atm-general@lists.sourceforge.net, netdev@vger.kernel.org
Subject: Re: [PATCH net v2] net: atm: Fix use-after-free bug in atm_dev_register()
Date: Wed, 14 Dec 2022 09:51:09 +0200	[thread overview]
Message-ID: <Y5mAbfpeHEuQp0BE@unreal> (raw)
In-Reply-To: <20221213191233.5d0a7c8f@kernel.org>

On Tue, Dec 13, 2022 at 07:12:33PM -0800, Jakub Kicinski wrote:
> On Mon, 12 Dec 2022 09:12:30 +0200 Leon Romanovsky wrote:
> > > v2: Call put_device in atm_register_sysfs instead of atm_dev_register.
> > 
> > Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
> 
> On one of the previous versions you commented that
> atm_unregister_sysfs() also needs to move to unregister() rather 
> than del():
> 
> https://lore.kernel.org/all/Y48CwyATYAAcPgqT@unreal/
> 
> Is that not the case?

Yes, it should, but it is much larger change than this fix and someone
needs to do it as a separate patch.

You can't simply replace device_del() in atm_unregister_sysfs() because
how atm_dev_put() is implemented. The latter blindly calls to put_device(&dev->class_dev)
and you can't remove it without close look on all atm_dev_put() callers.

> 
> Also atm_dev_register() still frees the dev on atm_register_sysfs()
> failure, is that okay?

Yes, the kernel panic points that class_dev (not dev) had use-after-free.

Thanks

next prev parent reply	other threads:[~2022-12-14  7:51 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-11 12:49 [PATCH net v2] net: atm: Fix use-after-free bug in atm_dev_register() Nir Levy
2022-12-12  7:12 ` Leon Romanovsky
2022-12-14  3:12   ` Jakub Kicinski
2022-12-14  7:51     ` Leon Romanovsky [this message]
2022-12-14 16:43       ` Jakub Kicinski
2022-12-14 19:17         ` Leon Romanovsky

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y5mAbfpeHEuQp0BE@unreal \
    --to=leon@kernel.org \
    --cc=bhr166@gmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=linux-atm-general@lists.sourceforge.net \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.