From: Duoming Zhou <duoming@zju.edu.cn>
To: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, linux-hams@vger.kernel.org,
pabeni@redhat.com, kuba@kernel.org, edumazet@google.com,
davem@davemloft.net, jreuter@yaina.de,
Duoming Zhou <duoming@zju.edu.cn>
Subject: [PATCH net] ax25: fix use-after-free bugs caused by ax25_ds_del_timer
Date: Tue, 26 Mar 2024 22:25:42 +0800 [thread overview]
Message-ID: <20240326142542.118058-1-duoming@zju.edu.cn> (raw)
When the ax25 device is detaching, the ax25_dev_device_down()
calls ax25_ds_del_timer() to cleanup the slave_timer. When
the timer handler is running, the ax25_ds_del_timer() that
calls del_timer() in it will return directly. As a result,
the use-after-free bugs could happen, one of the scenarios
is shown below:
(Thread 1) | (Thread 2)
| ax25_ds_timeout()
ax25_dev_device_down() |
ax25_ds_del_timer() |
del_timer() |
ax25_dev_put() //FREE |
| ax25_dev-> //USE
In order to mitigate bugs, when the device is detaching, use
timer_shutdown_sync() to stop the timer.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
net/ax25/ax25_ds_timer.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/ax25/ax25_ds_timer.c b/net/ax25/ax25_ds_timer.c
index c4f8adbf814..5624c0d174c 100644
--- a/net/ax25/ax25_ds_timer.c
+++ b/net/ax25/ax25_ds_timer.c
@@ -43,7 +43,12 @@ void ax25_ds_setup_timer(ax25_dev *ax25_dev)
void ax25_ds_del_timer(ax25_dev *ax25_dev)
{
- if (ax25_dev)
+ if (!ax25_dev)
+ return;
+
+ if (!ax25_dev->device_up)
+ timer_shutdown_sync(&ax25_dev->dama.slave_timer);
+ else
del_timer(&ax25_dev->dama.slave_timer);
}
--
2.17.1
next reply other threads:[~2024-03-26 14:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-26 14:25 Duoming Zhou [this message]
2024-03-27 19:10 ` [PATCH net] ax25: fix use-after-free bugs caused by ax25_ds_del_timer Simon Horman
2024-03-28 5:34 ` duoming
2024-03-28 18:12 ` Simon Horman
2024-03-29 1:54 ` duoming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240326142542.118058-1-duoming@zju.edu.cn \
--to=duoming@zju.edu.cn \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jreuter@yaina.de \
--cc=kuba@kernel.org \
--cc=linux-hams@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.