Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp6268916pxb; Mon, 8 Nov 2021 06:02:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJyLmHL9OUJW8wZEvXvET8XxkVBO23cD0K48eHht/EIyvNA7iQohipUpK0A9HWVErhh8zJHC X-Received: by 2002:a2e:a786:: with SMTP id c6mr70730425ljf.75.1636380152202; Mon, 08 Nov 2021 06:02:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1636380152; cv=none; d=google.com; s=arc-20160816; b=h9WDFvJI0VNPXGqGNYlujYiky0/TUUp9YAwn07Cs1yWVV7VjvrnoO2ZT7NP7yt7qEx taIa9l+AsE8QvAGprRlk35T+YHxt7MtTwesDnB0igkGyzmsQ1qjEFb3O401GVpaevI72 cLLQuJP65n/VjtZKAPTf/uSt/ETdTsRJIaYiKpuTxoIg1+qgE6GK2fvWVLwyd/fPDxNJ vN9aiykUW+OcXfkdJHlcOnJthPyMimc72OIDpJQHS2CZ1p/DB3u6Q31Qj9bRWg6YBsv0 t0A78snLfc0E0NPPPrPDmO8mE+OnyTMoBIftHVGhcvZlgdHRuS4TxFEdQJkthUfMlsAs 9hwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=yv/q9vFRyDZV1hHOF39SVN+FT3DqALMNu/cVWx3Rdds=; b=n26gGUZIC6H0N0rMBLjbU2Zp+Su3W2TSygZPZq6A3p6LdDcK4c27mWJA1Jt7/dGwue JL9kdgXM46LSM7CcUFt+Duo2fvn+zx+jiXHuhfGItT1sxYgTadW0+5t7wU2DohDdsb4S qaV39E7SXvaVwg4lYqPkzRTEXb/OsVbDMaaT3vpzpGGFtC5t+ptxkPiOD3WhRJbUAZwQ VVZ+qB5NF1HeGelSF2Y/flNr+rv9DcwT0k9JYJu/v3s5PR54lJ3RtiC4IoGmnMSY/sZJ AEf60phjwA3ssIz9L70l6zevDs0bDyFMqfqWowuxUZ47fNw1rwOLyVZR70+Fkg4bx7e7 Y1ow== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a3si19172316ejd.290.2021.11.08.06.02.06; Mon, 08 Nov 2021 06:02:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235325AbhKHKkX (ORCPT + 99 others); Mon, 8 Nov 2021 05:40:23 -0500 Received: from spam.zju.edu.cn ([61.164.42.155]:40310 "EHLO zju.edu.cn" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S238382AbhKHKkQ (ORCPT ); Mon, 8 Nov 2021 05:40:16 -0500 Received: from localhost.localdomain (unknown [222.205.2.245]) by mail-app4 (Coremail) with SMTP id cS_KCgDn7eHj_Yhh3YTCBA--.28592S4; Mon, 08 Nov 2021 18:37:23 +0800 (CST) From: Lin Ma To: netdev@vger.kernel.org Cc: davem@davemloft.net, kuba@kernel.org, jirislaby@kernel.org, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, Lin Ma Subject: [PATCH v1 1/2] hamradio: defer ax25 kfree after unregister_netdev Date: Mon, 8 Nov 2021 18:37:21 +0800 Message-Id: <20211108103721.30522-1-linma@zju.edu.cn> X-Mailer: git-send-email 2.33.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: cS_KCgDn7eHj_Yhh3YTCBA--.28592S4 X-Coremail-Antispam: 1UD129KBjvJXoW7KrW5Cw43Xw1rur45Cr4fGrg_yoW8WF1rpF WFkFyfXF4ktr4xJw1DJay0qFy5Wws7JayUCa4Ik39a9ws0vryj9r40k3yUurn5ZrWfGrWS vF15tFW3CF1YyrJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUv01xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVWxJr0_GcWl84ACjcxK6I8E 87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_GcCE3s1le2I262IYc4CY6c 8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E2Ix0cI8IcVAFwI0_Jr0_ Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwI xGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc2xSY4AK67AK6r4DMxAIw28IcxkI7VAKI48J MxAIw28IcVCjz48v1sIEY20_GFWkJr1UJwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c 02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_JF0_ Jw1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7 CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v2 6r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Jr0_GrUvcSsGvfC2KfnxnUUI43ZEXa7VUb GQ6JUUUUU== X-CM-SenderInfo: qtrwiiyqvtljo62m3hxhgxhubq/ Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There is a possible race condition (use-after-free) like below (USE) | (FREE) ax25_sendmsg | ax25_queue_xmit | dev_queue_xmit | __dev_queue_xmit | __dev_xmit_skb | sch_direct_xmit | ... xmit_one | netdev_start_xmit | tty_ldisc_kill __netdev_start_xmit | mkiss_close ax_xmit | kfree ax_encaps | | Even though there are two synchronization primitives before the kfree: 1. wait_for_completion(&ax->dead). This can prevent the race with routines from mkiss_ioctl. However, it cannot stop the routine coming from upper layer, i.e., the ax25_sendmsg. 2. netif_stop_queue(ax->dev). It seems that this line of code aims to halt the transmit queue but it fails to stop the routine that already being xmit. This patch reorder the kfree after the unregister_netdev to avoid the possible UAF as the unregister_netdev() is well synchronized and won't return if there is a running routine. Signed-off-by: Lin Ma --- drivers/net/hamradio/mkiss.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c index 867252a0247b..e2b332b54f06 100644 --- a/drivers/net/hamradio/mkiss.c +++ b/drivers/net/hamradio/mkiss.c @@ -792,13 +792,14 @@ static void mkiss_close(struct tty_struct *tty) */ netif_stop_queue(ax->dev); - /* Free all AX25 frame buffers. */ - kfree(ax->rbuff); - kfree(ax->xbuff); - ax->tty = NULL; unregister_netdev(ax->dev); + + /* Free all AX25 frame buffers after unreg. */ + kfree(ax->rbuff); + kfree(ax->xbuff); + free_netdev(ax->dev); } -- 2.33.1