From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Eric Dumazet <edumazet@google.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
linux-wpan@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 098/174] inet: frags: call inet_frags_fini() after unregister_pernet_subsys()
Date: Thu, 16 Jan 2020 12:41:35 -0500 [thread overview]
Message-ID: <20200116174251.24326-98-sashal@kernel.org> (raw)
In-Reply-To: <20200116174251.24326-1-sashal@kernel.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit ae7352d384a552d8c799c242e74a934809990a71 ]
Both IPv6 and 6lowpan are calling inet_frags_fini() too soon.
inet_frags_fini() is dismantling a kmem_cache, that might be needed
later when unregister_pernet_subsys() eventually has to remove
frags queues from hash tables and free them.
This fixes potential use-after-free, and is a prereq for the following patch.
Fixes: d4ad4d22e7ac ("inet: frags: use kmem_cache for inet_frag_queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ieee802154/6lowpan/reassembly.c | 2 +-
net/ipv6/reassembly.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ieee802154/6lowpan/reassembly.c b/net/ieee802154/6lowpan/reassembly.c
index 6183730d38db..e728dae467c3 100644
--- a/net/ieee802154/6lowpan/reassembly.c
+++ b/net/ieee802154/6lowpan/reassembly.c
@@ -634,7 +634,7 @@ int __init lowpan_net_frag_init(void)
void lowpan_net_frag_exit(void)
{
- inet_frags_fini(&lowpan_frags);
lowpan_frags_sysctl_unregister();
unregister_pernet_subsys(&lowpan_frags_ops);
+ inet_frags_fini(&lowpan_frags);
}
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index ec917f58d105..17e9ed2edb86 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -774,8 +774,8 @@ int __init ipv6_frag_init(void)
void ipv6_frag_exit(void)
{
- inet_frags_fini(&ip6_frags);
ip6_frags_sysctl_unregister();
unregister_pernet_subsys(&ip6_frags_ops);
inet6_del_protocol(&frag_protocol, IPPROTO_FRAGMENT);
+ inet_frags_fini(&ip6_frags);
}
--
2.20.1
next prev parent reply other threads:[~2020-01-16 17:53 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200116174251.24326-1-sashal@kernel.org>
2020-01-16 17:40 ` [PATCH AUTOSEL 4.4 058/174] net: sh_eth: fix a missing check of of_get_phy_mode Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 069/174] dccp: Fix memleak in __feat_register_sp Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 072/174] ehea: Fix a copy-paste err in ehea_init_port_res Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 076/174] tipc: set sysctl_tipc_rmem and named_timeout right range Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 079/174] 6lowpan: Off by one handling ->nexthdr Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 082/174] packet: in recvmsg msg_name return at least sizeof sockaddr_ll Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 089/174] netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule Sasha Levin
2020-01-16 17:41 ` Sasha Levin [this message]
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 102/174] net/af_iucv: always register net_device notifier Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 109/174] net: pasemi: fix an use-after-free in pasemi_mac_phy_init() Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 111/174] libertas_tf: Use correct channel range in lbtf_geo_init Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 125/174] mac80211: minstrel_ht: fix per-group max throughput rate initialization Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 133/174] ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 134/174] net: sonic: return NETDEV_TX_OK if failed to map buffer Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 137/174] net: sonic: replace dev_kfree_skb in sonic_send_packet Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 138/174] net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names' Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 140/174] net: hisilicon: Fix signedness bug in hix5hd2_dev_probe() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 141/174] net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 142/174] net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 143/174] mac80211: accept deauth frames in IBSS mode Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 144/174] llc: fix another potential sk_buff leak in llc_ui_sendmsg() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 145/174] llc: fix sk_buff refcounting in llc_conn_state_process() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 146/174] net: stmmac: fix length of PTP clock's name string Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 150/174] net: qca_spi: Move reset_count to struct qcaspi Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 151/174] mt7601u: fix bbp version check in mt7601u_wait_bbp_ready Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 155/174] cw1200: Fix a signedness bug in cw1200_load_firmware() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 157/174] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 162/174] net: neigh: use long type to store jiffies delta Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 164/174] packet: fix data-race in fanout_flow_is_huge() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200116174251.24326-98-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wpan@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).