From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Lin Ma <linma@zju.edu.cn>,
"David S. Miller" <davem@davemloft.net>,
Ovidiu Panait <ovidiu.panait@windriver.com>
Subject: [PATCH 5.4 02/84] hamradio: defer 6pack kfree after unregister_netdev
Date: Wed, 4 May 2022 18:43:43 +0200 [thread overview]
Message-ID: <20220504152927.930466007@linuxfoundation.org> (raw)
In-Reply-To: <20220504152927.744120418@linuxfoundation.org>
From: Lin Ma <linma@zju.edu.cn>
commit 0b9111922b1f399aba6ed1e1b8f2079c3da1aed8 upstream.
There is a possible race condition (use-after-free) like below
(USE) | (FREE)
dev_queue_xmit |
__dev_queue_xmit |
__dev_xmit_skb |
sch_direct_xmit | ...
xmit_one |
netdev_start_xmit | tty_ldisc_kill
__netdev_start_xmit | 6pack_close
sp_xmit | kfree
sp_encaps |
|
According to the patch "defer ax25 kfree after unregister_netdev", this
patch reorder the kfree after the unregister_netdev to avoid the possible
UAF as the unregister_netdev() is well synchronized and won't return if
there is a running routine.
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/hamradio/6pack.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -679,9 +679,11 @@ static void sixpack_close(struct tty_str
del_timer_sync(&sp->tx_t);
del_timer_sync(&sp->resync_t);
- /* Free all 6pack frame buffers. */
+ /* Free all 6pack frame buffers after unreg. */
kfree(sp->rbuff);
kfree(sp->xbuff);
+
+ free_netdev(sp->dev);
}
/* Perform I/O control on an active 6pack channel. */
next prev parent reply other threads:[~2022-05-04 16:48 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-04 16:43 [PATCH 5.4 00/84] 5.4.192-rc1 review Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 01/84] floppy: disable FDRAWCMD by default Greg Kroah-Hartman
2022-05-04 16:43 ` Greg Kroah-Hartman [this message]
2022-05-04 16:43 ` [PATCH 5.4 03/84] hamradio: remove needs_free_netdev to avoid UAF Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 04/84] lightnvm: disable the subsystem Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 05/84] usb: mtu3: fix USB 3.0 dual-role-switch from device to host Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 06/84] USB: quirks: add a Realtek card reader Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 07/84] USB: quirks: add STRING quirk for VCOM device Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 08/84] USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 09/84] USB: serial: cp210x: add PIDs for Kamstrup USB Meter Reader Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 10/84] USB: serial: option: add support for Cinterion MV32-WA/MV32-WB Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 11/84] USB: serial: option: add Telit 0x1057, 0x1058, 0x1075 compositions Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 12/84] xhci: stop polling roothubs after shutdown Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 13/84] xhci: increase usb U3 -> U0 link resume timeout from 100ms to 500ms Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 14/84] iio: dac: ad5592r: Fix the missing return value Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 15/84] iio: dac: ad5446: Fix read_raw not returning set value Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 16/84] iio: magnetometer: ak8975: Fix the error handling in ak8975_power_on() Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 17/84] usb: misc: fix improper handling of refcount in uss720_probe() Greg Kroah-Hartman
2022-05-04 16:43 ` [PATCH 5.4 18/84] usb: typec: ucsi: Fix role swapping Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 19/84] usb: gadget: uvc: Fix crash when encoding data for usb request Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 20/84] usb: gadget: configfs: clear deactivation flag in configfs_composite_unbind() Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 21/84] usb: dwc3: core: Fix tx/rx threshold settings Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 22/84] usb: dwc3: gadget: Return proper request status Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 23/84] serial: imx: fix overrun interrupts in DMA mode Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 24/84] serial: 8250: Also set sticky MCR bits in console restoration Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 25/84] serial: 8250: Correct the clock for EndRun PTP/1588 PCIe device Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 26/84] arch_topology: Do not set llc_sibling if llc_id is invalid Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 27/84] hex2bin: make the function hex_to_bin constant-time Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 28/84] hex2bin: fix access beyond string end Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 29/84] video: fbdev: udlfb: properly check endpoint type Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 30/84] arm64: dts: meson: remove CPU opps below 1GHz for G12B boards Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 31/84] arm64: dts: meson: remove CPU opps below 1GHz for SM1 boards Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 32/84] mtd: rawnand: fix ecc parameters for mt7622 Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 33/84] USB: Fix xhci event ring dequeue pointer ERDP update issue Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 34/84] ARM: dts: imx6qdl-apalis: Fix sgtl5000 detection issue Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 35/84] phy: samsung: Fix missing of_node_put() in exynos_sata_phy_probe Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 36/84] phy: samsung: exynos5250-sata: fix missing device put in probe error paths Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 37/84] ARM: OMAP2+: Fix refcount leak in omap_gic_of_init Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 38/84] phy: ti: omap-usb2: Fix error handling in omap_usb2_enable_clocks Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 39/84] ARM: dts: at91: Map MCLK for wm8731 on at91sam9g20ek Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 40/84] phy: mapphone-mdm6600: Fix PM error handling in phy_mdm6600_probe Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 41/84] phy: ti: Add missing pm_runtime_disable() in serdes_am654_probe Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 42/84] ARM: dts: Fix mmc order for omap3-gta04 Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 43/84] ARM: dts: am3517-evm: Fix misc pinmuxing Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 44/84] ARM: dts: logicpd-som-lv: Fix wrong pinmuxing on OMAP35 Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 45/84] ipvs: correctly print the memory size of ip_vs_conn_tab Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 46/84] mtd: rawnand: Fix return value check of wait_for_completion_timeout Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 47/84] bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 48/84] tcp: md5: incorrect tcp_header_len for incoming connections Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 49/84] tcp: ensure to use the most recently sent skb when filling the rate sample Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 50/84] sctp: check asoc strreset_chunk in sctp_generate_reconf_event Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 51/84] ARM: dts: imx6ull-colibri: fix vqmmc regulator Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 52/84] arm64: dts: imx8mn-ddr4-evk: Describe the 32.768 kHz PMIC clock Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 53/84] pinctrl: pistachio: fix use of irq_of_parse_and_map() Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 54/84] cpufreq: fix memory leak in sun50i_cpufreq_nvmem_probe Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 55/84] net: hns3: add validity check for message data length Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 56/84] net/smc: sync err code when tcp connection was refused Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 57/84] ip_gre: Make o_seqno start from 0 in native mode Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 58/84] tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 59/84] bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create() Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 60/84] clk: sunxi: sun9i-mmc: check return value after calling platform_get_resource() Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 61/84] net: bcmgenet: hide status block before TX timestamping Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 62/84] net: dsa: lantiq_gswip: Dont set GSWIP_MII_CFG_RMII_CLK Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 63/84] drm/amd/display: Fix memory leak in dcn21_clock_source_create Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 64/84] tls: Skip tls_append_frag on zero copy size Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 65/84] bnx2x: fix napi API usage sequence Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 66/84] ixgbe: ensure IPsec VF<->PF compatibility Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 67/84] tcp: fix F-RTO may not work correctly when receiving DSACK Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 68/84] ASoC: wm8731: Disable the regulator when probing fails Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 69/84] ip6_gre: Avoid updating tunnel->tun_hlen in __gre6_xmit() Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 70/84] x86: __memcpy_flushcache: fix wrong alignment if size > 2^32 Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 71/84] cifs: destage any unwritten data to the server before calling copychunk_write Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 72/84] drivers: net: hippi: Fix deadlock in rr_close() Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 73/84] net: ethernet: stmmac: fix write to sgmii_adapter_base Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 74/84] x86/cpu: Load microcode during restore_processor_state() Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 75/84] tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2 Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 76/84] tty: n_gsm: fix malformed counter for out of frame data Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 77/84] netfilter: nft_socket: only do sk lookups when indev is available Greg Kroah-Hartman
2022-05-04 16:44 ` [PATCH 5.4 78/84] tty: n_gsm: fix insufficient txframe size Greg Kroah-Hartman
2022-05-04 16:45 ` [PATCH 5.4 79/84] tty: n_gsm: fix missing explicit ldisc flush Greg Kroah-Hartman
2022-05-04 16:45 ` [PATCH 5.4 80/84] tty: n_gsm: fix wrong command retry handling Greg Kroah-Hartman
2022-05-04 16:45 ` [PATCH 5.4 81/84] tty: n_gsm: fix wrong command frame length field encoding Greg Kroah-Hartman
2022-05-04 16:45 ` [PATCH 5.4 82/84] tty: n_gsm: fix incorrect UA handling Greg Kroah-Hartman
2022-05-04 16:45 ` [PATCH 5.4 83/84] hugetlbfs: get unmapped area below TASK_UNMAPPED_BASE for hugetlbfs Greg Kroah-Hartman
2022-05-04 16:45 ` [PATCH 5.4 84/84] mm, hugetlb: allow for "high" userspace addresses Greg Kroah-Hartman
2022-05-05 0:53 ` [PATCH 5.4 00/84] 5.4.192-rc1 review Samuel Zou
2022-05-05 3:09 ` Florian Fainelli
2022-05-05 12:37 ` Naresh Kamboju
2022-05-05 21:41 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220504152927.930466007@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linma@zju.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=ovidiu.panait@windriver.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox