hamradio: defer ax25 kfree after unregister_netdev
There is a possible race condition (use-after-free) like below
(USE) | (FREE)
ax25_sendmsg |
ax25_queue_xmit |
dev_queue_xmit |
__dev_queue_xmit |
__dev_xmit_skb |
sch_direct_xmit | ...
xmit_one |
netdev_start_xmit | tty_ldisc_kill
__netdev_start_xmit | mkiss_close
ax_xmit | kfree
ax_encaps |
|
Even though there are two synchronization primitives before the kfree:
1. wait_for_completion(&ax->dead). This can prevent the race with
routines from mkiss_ioctl. However, it cannot stop the routine coming
from upper layer, i.e., the ax25_sendmsg.
2. netif_stop_queue(ax->dev). It seems that this line of code aims to
halt the transmit queue but it fails to stop the routine that already
being xmit.
This patch reorder the kfree after the unregister_netdev to avoid the
possible UAF as the unregister_netdev() is well synchronized and won't
return if there is a running routine.
Signed-off-by: 
Lin Ma <linma@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
parent
54f0bad6
-
mentioned in commit b2f37aea
-
mentioned in commit eaa816a8
-
mentioned in commit a7b0ae2c
-
mentioned in commit 896193a0
-
mentioned in commit b68f41c6
-
mentioned in commit b5b193d0
-
mentioned in commit 371a874e
-
mentioned in commit 8a1a3149
-
mentioned in commit 83ba6ec9
-
mentioned in commit 45012107
-
mentioned in commit 7dd52af1
-
mentioned in commit cb6c99ae
-
mentioned in commit 03d00f7f
-
mentioned in commit ef5f7bfa
-
mentioned in commit a5c6a13e
-
mentioned in commit afe7116f
-
mentioned in commit 23a29932
-
mentioned in commit dede80aa
-
mentioned in commit bed12d75
Please register or sign in to comment