From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:42256 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727181AbeIAIDe (ORCPT ); Sat, 1 Sep 2018 04:03:34 -0400 Date: Fri, 31 Aug 2018 20:53:05 -0700 From: Greg KH To: Zubin Mithra Cc: stable@vger.kernel.org, jasowang@redhat.com, davem@davemloft.net, groeck@chromium.org Subject: Re: [PATCH v4.14.y] tun: fix use after free for ptr_ring Message-ID: <20180901035305.GE27141@kroah.com> References: <20180831213642.251705-1-zsm@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180831213642.251705-1-zsm@chromium.org> Sender: stable-owner@vger.kernel.org List-ID: On Fri, Aug 31, 2018 at 02:36:42PM -0700, Zubin Mithra wrote: > From: Jason Wang > > commit b196d88aba8ac72b775137854121097f4c4c6862 upstream. > > We used to initialize ptr_ring during TUNSETIFF, this is because its > size depends on the tx_queue_len of netdevice. And we try to clean it > up when socket were detached from netdevice. A race were spotted when > trying to do uninit during a read which will lead a use after free for > pointer ring. Solving this by always initialize a zero size ptr_ring > in open() and do resizing during TUNSETIFF, and then we can safely do > cleanup during close(). With this, there's no need for the workaround > that was introduced by commit 4df0bfc79904 ("tun: fix a memory leak > for tfile->tx_array"). > > Backport Note :- > This is a backport of following 2 upstream patches(the second fixes the > first). > b196d88aba ("tun: fix use after free for ptr_ring") > 7063efd33b ("tuntap: fix use after free during release") Please backport the two patches individually, do not mush anything together. thanks, greg k-h