linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] netvsc: fix use-after-free in netvsc_change_mtu()
@ 2017-03-02 13:00 Dexuan Cui
  2017-03-02 17:06 ` Stephen Hemminger
  2017-03-02 22:43 ` David Miller
  0 siblings, 2 replies; 3+ messages in thread
From: Dexuan Cui @ 2017-03-02 13:00 UTC (permalink / raw)
  To: David Miller, netdev, Stephen Hemminger, KY Srinivasan, Haiyang Zhang
  Cc: linux-kernel, driverdev-devel

'nvdev' is freed in rndis_filter_device_remove -> netvsc_device_remove ->
free_netvsc_device, so we mustn't access it, before it's re-created in
rndis_filter_device_add -> netvsc_device_add.

Signed-off-by: Dexuan Cui <decui@microsoft.com>
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
---
 drivers/net/hyperv/netvsc_drv.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
index 2d3cdb0..bc05c89 100644
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -859,15 +859,22 @@ static int netvsc_change_mtu(struct net_device *ndev, int mtu)
 	if (ret)
 		goto out;
 
+	memset(&device_info, 0, sizeof(device_info));
+	device_info.ring_size = ring_size;
+	device_info.num_chn = nvdev->num_chn;
+	device_info.max_num_vrss_chns = nvdev->num_chn;
+
 	ndevctx->start_remove = true;
 	rndis_filter_device_remove(hdev, nvdev);
 
+	/* 'nvdev' has been freed in rndis_filter_device_remove() ->
+	 * netvsc_device_remove () -> free_netvsc_device().
+	 * We mustn't access it before it's re-created in
+	 * rndis_filter_device_add() -> netvsc_device_add().
+	 */
+
 	ndev->mtu = mtu;
 
-	memset(&device_info, 0, sizeof(device_info));
-	device_info.ring_size = ring_size;
-	device_info.num_chn = nvdev->num_chn;
-	device_info.max_num_vrss_chns = nvdev->num_chn;
 	rndis_filter_device_add(hdev, &device_info);
 
 out:
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] netvsc: fix use-after-free in netvsc_change_mtu()
  2017-03-02 13:00 [PATCH] netvsc: fix use-after-free in netvsc_change_mtu() Dexuan Cui
@ 2017-03-02 17:06 ` Stephen Hemminger
  2017-03-02 22:43 ` David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: Stephen Hemminger @ 2017-03-02 17:06 UTC (permalink / raw)
  To: Dexuan Cui
  Cc: David Miller, netdev, Stephen Hemminger, KY Srinivasan,
	Haiyang Zhang, driverdev-devel, linux-kernel

On Thu, 2 Mar 2017 13:00:53 +0000
Dexuan Cui <decui@microsoft.com> wrote:

> 'nvdev' is freed in rndis_filter_device_remove -> netvsc_device_remove ->
> free_netvsc_device, so we mustn't access it, before it's re-created in
> rndis_filter_device_add -> netvsc_device_add.
> 
> Signed-off-by: Dexuan Cui <decui@microsoft.com>
> Cc: "K. Y. Srinivasan" <kys@microsoft.com>
> Cc: Haiyang Zhang <haiyangz@microsoft.com>
> Cc: Stephen Hemminger <sthemmin@microsoft.com>

Reviewed-by: Stephen Hemminger <sthemmin@microsoft.com>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] netvsc: fix use-after-free in netvsc_change_mtu()
  2017-03-02 13:00 [PATCH] netvsc: fix use-after-free in netvsc_change_mtu() Dexuan Cui
  2017-03-02 17:06 ` Stephen Hemminger
@ 2017-03-02 22:43 ` David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2017-03-02 22:43 UTC (permalink / raw)
  To: decui; +Cc: netdev, sthemmin, kys, haiyangz, linux-kernel, driverdev-devel

From: Dexuan Cui <decui@microsoft.com>
Date: Thu, 2 Mar 2017 13:00:53 +0000

> 'nvdev' is freed in rndis_filter_device_remove -> netvsc_device_remove ->
> free_netvsc_device, so we mustn't access it, before it's re-created in
> rndis_filter_device_add -> netvsc_device_add.
> 
> Signed-off-by: Dexuan Cui <decui@microsoft.com>

Applied.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-03-03  0:49 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-02 13:00 [PATCH] netvsc: fix use-after-free in netvsc_change_mtu() Dexuan Cui
2017-03-02 17:06 ` Stephen Hemminger
2017-03-02 22:43 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).