* [PATCH net V2] tuntap: correctly handle error in tun_set_iff()
@ 2013-09-11 10:09 Jason Wang
2013-09-11 10:43 ` Michael S. Tsirkin
0 siblings, 1 reply; 3+ messages in thread
From: Jason Wang @ 2013-09-11 10:09 UTC (permalink / raw)
To: davem, mst, netdev, linux-kernel; +Cc: wannes.rombouts, Jason Wang
Commit c8d68e6be1c3b242f1c598595830890b65cea64a
(tuntap: multiqueue support) only call free_netdev() on error in
tun_set_iff(). This causes several issues:
- memory of tun security were leaked
- use after free since the flow gc timer was not deleted and the tfile
were not detached
This patch solves the above issues.
Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
- Changes from V1: shift 1 space for label err_free_netdev and keep
commit log under 70 chars per line.
- The patch were needed for stable kernel 3.8+.
---
drivers/net/tun.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index a639de8..807815f 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1641,11 +1641,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
INIT_LIST_HEAD(&tun->disabled);
err = tun_attach(tun, file, false);
if (err < 0)
- goto err_free_dev;
+ goto err_free_flow;
err = register_netdevice(tun->dev);
if (err < 0)
- goto err_free_dev;
+ goto err_detach;
if (device_create_file(&tun->dev->dev, &dev_attr_tun_flags) ||
device_create_file(&tun->dev->dev, &dev_attr_owner) ||
@@ -1689,7 +1689,12 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
strcpy(ifr->ifr_name, tun->dev->name);
return 0;
- err_free_dev:
+err_detach:
+ tun_detach_all(dev);
+err_free_flow:
+ tun_flow_uninit(tun);
+ security_tun_dev_free_security(tun->security);
+err_free_dev:
free_netdev(dev);
return err;
}
--
1.7.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net V2] tuntap: correctly handle error in tun_set_iff()
2013-09-11 10:09 [PATCH net V2] tuntap: correctly handle error in tun_set_iff() Jason Wang
@ 2013-09-11 10:43 ` Michael S. Tsirkin
2013-09-12 21:22 ` David Miller
0 siblings, 1 reply; 3+ messages in thread
From: Michael S. Tsirkin @ 2013-09-11 10:43 UTC (permalink / raw)
To: Jason Wang; +Cc: davem, netdev, linux-kernel, wannes.rombouts
On Wed, Sep 11, 2013 at 06:09:48PM +0800, Jason Wang wrote:
> Commit c8d68e6be1c3b242f1c598595830890b65cea64a
> (tuntap: multiqueue support) only call free_netdev() on error in
> tun_set_iff(). This causes several issues:
>
> - memory of tun security were leaked
> - use after free since the flow gc timer was not deleted and the tfile
> were not detached
>
> This patch solves the above issues.
>
> Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu>
> Cc: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
> ---
> - Changes from V1: shift 1 space for label err_free_netdev and keep
> commit log under 70 chars per line.
> - The patch were needed for stable kernel 3.8+.
> ---
> drivers/net/tun.c | 11 ++++++++---
> 1 files changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index a639de8..807815f 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -1641,11 +1641,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
> INIT_LIST_HEAD(&tun->disabled);
> err = tun_attach(tun, file, false);
> if (err < 0)
> - goto err_free_dev;
> + goto err_free_flow;
>
> err = register_netdevice(tun->dev);
> if (err < 0)
> - goto err_free_dev;
> + goto err_detach;
>
> if (device_create_file(&tun->dev->dev, &dev_attr_tun_flags) ||
> device_create_file(&tun->dev->dev, &dev_attr_owner) ||
> @@ -1689,7 +1689,12 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
> strcpy(ifr->ifr_name, tun->dev->name);
> return 0;
>
> - err_free_dev:
> +err_detach:
> + tun_detach_all(dev);
> +err_free_flow:
> + tun_flow_uninit(tun);
> + security_tun_dev_free_security(tun->security);
> +err_free_dev:
> free_netdev(dev);
> return err;
> }
> --
> 1.7.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net V2] tuntap: correctly handle error in tun_set_iff()
2013-09-11 10:43 ` Michael S. Tsirkin
@ 2013-09-12 21:22 ` David Miller
0 siblings, 0 replies; 3+ messages in thread
From: David Miller @ 2013-09-12 21:22 UTC (permalink / raw)
To: mst; +Cc: jasowang, netdev, linux-kernel, wannes.rombouts
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Wed, 11 Sep 2013 13:43:50 +0300
> On Wed, Sep 11, 2013 at 06:09:48PM +0800, Jason Wang wrote:
>> Commit c8d68e6be1c3b242f1c598595830890b65cea64a
>> (tuntap: multiqueue support) only call free_netdev() on error in
>> tun_set_iff(). This causes several issues:
>>
>> - memory of tun security were leaked
>> - use after free since the flow gc timer was not deleted and the tfile
>> were not detached
>>
>> This patch solves the above issues.
>>
>> Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu>
>> Cc: Michael S. Tsirkin <mst@redhat.com>
>> Signed-off-by: Jason Wang <jasowang@redhat.com>
>
> Acked-by: Michael S. Tsirkin <mst@redhat.com>
Applied and queued up for -stable, thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-09-12 21:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-11 10:09 [PATCH net V2] tuntap: correctly handle error in tun_set_iff() Jason Wang
2013-09-11 10:43 ` Michael S. Tsirkin
2013-09-12 21:22 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).