* [PATCH 4.4-stable] slip: stop double free sl->dev in slip_open
@ 2020-02-22 9:46 yangerkun
2020-02-24 3:06 ` yangerkun
0 siblings, 1 reply; 4+ messages in thread
From: yangerkun @ 2020-02-22 9:46 UTC (permalink / raw)
To: gregkh; +Cc: stable, yangerkun
After commit e4c157955483 ("slip: Fix use-after-free Read in slip_open"),
we will double free sl->dev since sl_free_netdev will free sl->dev too.
It's fine for mainline since sl_free_netdev in mainline won't free
sl->dev.
Signed-off-by: yangerkun <yangerkun@huawei.com>
---
drivers/net/slip/slip.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
index ef6b25ec75a1..7fe9183fad0e 100644
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -861,7 +861,6 @@ err_free_chan:
tty->disc_data = NULL;
clear_bit(SLF_INUSE, &sl->flags);
sl_free_netdev(sl->dev);
- free_netdev(sl->dev);
err_exit:
rtnl_unlock();
--
2.17.2
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH 4.4-stable] slip: stop double free sl->dev in slip_open 2020-02-22 9:46 [PATCH 4.4-stable] slip: stop double free sl->dev in slip_open yangerkun @ 2020-02-24 3:06 ` yangerkun 2020-02-27 12:49 ` Greg KH 0 siblings, 1 reply; 4+ messages in thread From: yangerkun @ 2020-02-24 3:06 UTC (permalink / raw) To: gregkh; +Cc: stable, davem, netdev cc David and netdev mail list too. On 2020/2/22 17:46, yangerkun wrote: > After commit e4c157955483 ("slip: Fix use-after-free Read in slip_open"), > we will double free sl->dev since sl_free_netdev will free sl->dev too. > It's fine for mainline since sl_free_netdev in mainline won't free > sl->dev. > > Signed-off-by: yangerkun <yangerkun@huawei.com> > --- > drivers/net/slip/slip.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c > index ef6b25ec75a1..7fe9183fad0e 100644 > --- a/drivers/net/slip/slip.c > +++ b/drivers/net/slip/slip.c > @@ -861,7 +861,6 @@ err_free_chan: > tty->disc_data = NULL; > clear_bit(SLF_INUSE, &sl->flags); > sl_free_netdev(sl->dev); > - free_netdev(sl->dev); > > err_exit: > rtnl_unlock(); > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 4.4-stable] slip: stop double free sl->dev in slip_open 2020-02-24 3:06 ` yangerkun @ 2020-02-27 12:49 ` Greg KH 2020-02-27 14:20 ` yangerkun 0 siblings, 1 reply; 4+ messages in thread From: Greg KH @ 2020-02-27 12:49 UTC (permalink / raw) To: yangerkun; +Cc: stable, davem, netdev On Mon, Feb 24, 2020 at 11:06:48AM +0800, yangerkun wrote: > cc David and netdev mail list too. > > On 2020/2/22 17:46, yangerkun wrote: > > After commit e4c157955483 ("slip: Fix use-after-free Read in slip_open"), > > we will double free sl->dev since sl_free_netdev will free sl->dev too. > > It's fine for mainline since sl_free_netdev in mainline won't free > > sl->dev. > > > > Signed-off-by: yangerkun <yangerkun@huawei.com> > > --- > > drivers/net/slip/slip.c | 1 - > > 1 file changed, 1 deletion(-) > > > > diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c > > index ef6b25ec75a1..7fe9183fad0e 100644 > > --- a/drivers/net/slip/slip.c > > +++ b/drivers/net/slip/slip.c > > @@ -861,7 +861,6 @@ err_free_chan: > > tty->disc_data = NULL; > > clear_bit(SLF_INUSE, &sl->flags); > > sl_free_netdev(sl->dev); > > - free_netdev(sl->dev); > > err_exit: > > rtnl_unlock(); > > > What commit causes this only to be needed on the 4.4-stable tree? Can you please list it in the commit log so that we know this? And this is only for 4.4.y, not 4.9.y or anything else? Why? thanks, greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 4.4-stable] slip: stop double free sl->dev in slip_open 2020-02-27 12:49 ` Greg KH @ 2020-02-27 14:20 ` yangerkun 0 siblings, 0 replies; 4+ messages in thread From: yangerkun @ 2020-02-27 14:20 UTC (permalink / raw) To: Greg KH; +Cc: stable, davem, netdev On 2020/2/27 20:49, Greg KH wrote: > On Mon, Feb 24, 2020 at 11:06:48AM +0800, yangerkun wrote: >> cc David and netdev mail list too. >> >> On 2020/2/22 17:46, yangerkun wrote: >>> After commit e4c157955483 ("slip: Fix use-after-free Read in slip_open"), >>> we will double free sl->dev since sl_free_netdev will free sl->dev too. >>> It's fine for mainline since sl_free_netdev in mainline won't free >>> sl->dev. >>> >>> Signed-off-by: yangerkun <yangerkun@huawei.com> >>> --- >>> drivers/net/slip/slip.c | 1 - >>> 1 file changed, 1 deletion(-) >>> >>> diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c >>> index ef6b25ec75a1..7fe9183fad0e 100644 >>> --- a/drivers/net/slip/slip.c >>> +++ b/drivers/net/slip/slip.c >>> @@ -861,7 +861,6 @@ err_free_chan: >>> tty->disc_data = NULL; >>> clear_bit(SLF_INUSE, &sl->flags); >>> sl_free_netdev(sl->dev); >>> - free_netdev(sl->dev); >>> err_exit: >>> rtnl_unlock(); >>> >> > > What commit causes this only to be needed on the 4.4-stable tree? Can > you please list it in the commit log so that we know this? > > And this is only for 4.4.y, not 4.9.y or anything else? Why? Hi, Sorry for does not check other stable branch! The problem exist in 4.4 stable branch because we merged 3b5a39979daf ("slip: Fix memory leak in slip_open error path") and e58c19124189 ("slip: Fix use-after-free Read in slip_open") without the patch cf124db566e6 ("net: Fix inconsistent teardown and release of private netdev state."). And since cf124db566e6 has remove the free_netdev exist in sl_free_netdev, so fault branch err_free_chan in slip_open will not call free_netdev twice in mainline. However, 4.4 stable branch will do it. Futhermore, since sl_free_netdev will do the all we need, so I think delete the free_netdev below sl_free_netdev in slip_open will be fine to fix the double free problem, also two problem describes by previous two patch. After check for 3.16.y/4.9.y/4.14.y/4.19.y/5.4.y/5.5.y, and the result show as below: 3.16.y: No double free problem since below two commit has not merged in: e58c19124189 slip: Fix use-after-free Read in slip_open 3b5a39979daf slip: Fix memory leak in slip_open error path 4.9.y: problem exist 4.14.y/4.19.y/5.4.y/5.5.y: no double free problem since cf124db566e6 ("net: Fix inconsistent teardown and release of private netdev state.") has been included So, 4.9.y need this patch too! I will resend the patch for 4.4.y and 4.9.y with commit message refresh. Thanks, Kun. > > thanks, > > greg k-h > > . > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-02-27 14:21 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-02-22 9:46 [PATCH 4.4-stable] slip: stop double free sl->dev in slip_open yangerkun 2020-02-24 3:06 ` yangerkun 2020-02-27 12:49 ` Greg KH 2020-02-27 14:20 ` yangerkun
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.