From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Lin Ma <linma@zju.edu.cn>,
Jakub Kicinski <kuba@kernel.org>,
Ovidiu Panait <ovidiu.panait@windriver.com>
Subject: [PATCH 4.19 04/12] hamradio: remove needs_free_netdev to avoid UAF
Date: Fri, 29 Apr 2022 12:41:21 +0200 [thread overview]
Message-ID: <20220429104048.588599421@linuxfoundation.org> (raw)
In-Reply-To: <20220429104048.459089941@linuxfoundation.org>
From: Lin Ma <linma@zju.edu.cn>
commit 81b1d548d00bcd028303c4f3150fa753b9b8aa71 upstream.
The former patch "defer 6pack kfree after unregister_netdev" reorders
the kfree of two buffer after the unregister_netdev to prevent the race
condition. It also adds free_netdev() function in sixpack_close(), which
is a direct copy from the similar code in mkiss_close().
However, in sixpack driver, the flag needs_free_netdev is set to true in
sp_setup(), hence the unregister_netdev() will free the netdev
automatically. Therefore, as the sp is netdev_priv, use-after-free
occurs.
This patch removes the needs_free_netdev = true and just let the
free_netdev to finish this deallocation task.
Fixes: 0b9111922b1f ("hamradio: defer 6pack kfree after unregister_netdev")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Link: https://lore.kernel.org/r/20211111141402.7551-1-linma@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/hamradio/6pack.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -311,7 +311,6 @@ static void sp_setup(struct net_device *
{
/* Finish setting up the DEVICE info. */
dev->netdev_ops = &sp_netdev_ops;
- dev->needs_free_netdev = true;
dev->mtu = SIXP_MTU;
dev->hard_header_len = AX25_MAX_HEADER_LEN;
dev->header_ops = &ax25_header_ops;
next prev parent reply other threads:[~2022-04-29 10:42 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-29 10:41 [PATCH 4.19 00/12] 4.19.241-rc1 review Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 4.19 01/12] media: vicodec: upon release, call m2m release before freeing ctrl handler Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 4.19 02/12] floppy: disable FDRAWCMD by default Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 4.19 03/12] hamradio: defer 6pack kfree after unregister_netdev Greg Kroah-Hartman
2022-04-29 10:41 ` Greg Kroah-Hartman [this message]
2022-04-29 10:41 ` [PATCH 4.19 05/12] net/sched: cls_u32: fix netns refcount changes in u32_change() Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 4.19 06/12] powerpc/64/interrupt: Temporarily save PPR on stack to fix register corruption due to SLB miss Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 4.19 07/12] powerpc/64s: Unmerge EX_LR and EX_DAR Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 4.19 08/12] Revert "ia64: kprobes: Fix to pass correct trampoline address to the handler" Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 4.19 09/12] Revert "ia64: kprobes: Use generic kretprobe trampoline handler" Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 4.19 10/12] ia64: kprobes: Fix to pass correct trampoline address to the handler Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 4.19 11/12] Revert "net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link" Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 4.19 12/12] lightnvm: disable the subsystem Greg Kroah-Hartman
2022-04-29 17:15 ` [PATCH 4.19 00/12] 4.19.241-rc1 review Jon Hunter
2022-04-29 18:36 ` Shuah Khan
2022-04-29 23:48 ` Guenter Roeck
2022-04-30 5:55 ` Naresh Kamboju
2022-04-30 10:18 ` Sudip Mukherjee
2022-05-03 10:41 ` Pavel Machek
2022-05-03 14:16 ` Guenter Roeck
2022-05-03 14:25 ` Greg Kroah-Hartman
2022-05-03 16:41 ` Guenter Roeck
2022-05-09 8:04 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220429104048.588599421@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=linma@zju.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=ovidiu.panait@windriver.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.