Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp4414924ioa; Wed, 27 Apr 2022 03:25:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxPVIT4Fe1TLWSYrMzspB+tYNSY5JE3uGo5pBbjnBGskSXKR3VHTwh/6n9BVjdtAuWf1Mzg X-Received: by 2002:a17:902:bc8b:b0:158:ac00:cca0 with SMTP id bb11-20020a170902bc8b00b00158ac00cca0mr28073527plb.102.1651055136291; Wed, 27 Apr 2022 03:25:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651055136; cv=none; d=google.com; s=arc-20160816; b=FOqdhVUOLLmhIyqbP46biaVCAclZuOJizzKL+ZAXBj3XIfHuI1XhATFFigO3Xfw9q7 O8mvFZqEdW7tLMy7qgWYakeuVsVstBeUssK2FclP2P8iYVOladf9lcjR8qT9BjjkX8qn jVFXf4Nyg9Ek1Gi6tAADM9q7lryRIutsDhs6YHqpVncilVVkqXiDozv6jvbfyXf1U/+V wUq2uzQgxJkdHwr6IwFJErb3JaNLoSg8dr2pzpiG+XjZOf0UJPSMZ61CJgvtliRqCkFi XNByQ6TKudujR75i+plnvRQRywj0mjaiapH4+SYcG8jz0Oy0h688qedrYBoQrOqYcwj3 1Vbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:to:from :subject:message-id:dkim-signature; bh=f1PVLbmLqz5IPQlx+FIi6pDmg09DbyV9nrjE0q+JCFM=; b=KLIBpfDJfuR2ehmyPOkNNt1UWRD2TjZ77G4fXClv4uDXKorRpST2l6PiARZ5OLl7mP zOKJh+OPj36Y0n2bpbfZSyuX5GNmogTF7xc5gW/OUZbwEgglbYnShkSGDH2JDapZKCHG ib4QxlWh6bEPTpQJ1hpJn/PAtfxsI1GAgI6wc0kekzeBEyys9O3bgwOWrZpFB8+3jmMx b0QQVX/BTglUHGFsg8LJ75d0fYI/eXiJmaV3k/g7vAcmJlYMxau/olqL1gD/zpk6SWsF YyJhhoNxm4XTJVHVbpLS6ctS8kAd0QUIDVVZBIMACygMHFd1VbL6oQfGM5pD3+rzlCEb 4aTw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeconstruct.com.au header.s=2022a header.b=VmMAdQx3; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=codeconstruct.com.au Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id z1-20020a634c01000000b003aa89c761acsi979112pga.798.2022.04.27.03.25.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Apr 2022 03:25:36 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@codeconstruct.com.au header.s=2022a header.b=VmMAdQx3; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=codeconstruct.com.au Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 8CAEA2783E2; Wed, 27 Apr 2022 02:42:40 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241637AbiDZDdx (ORCPT + 99 others); Mon, 25 Apr 2022 23:33:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52266 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240121AbiDZDda (ORCPT ); Mon, 25 Apr 2022 23:33:30 -0400 Received: from codeconstruct.com.au (pi.codeconstruct.com.au [203.29.241.158]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ACF231172; Mon, 25 Apr 2022 20:30:16 -0700 (PDT) Received: from [172.16.69.231] (unknown [49.255.141.98]) by mail.codeconstruct.com.au (Postfix) with ESMTPSA id 1EF8420162; Tue, 26 Apr 2022 11:30:08 +0800 (AWST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=codeconstruct.com.au; s=2022a; t=1650943811; bh=f1PVLbmLqz5IPQlx+FIi6pDmg09DbyV9nrjE0q+JCFM=; h=Subject:From:To:Date:In-Reply-To:References; b=VmMAdQx3aKyfOY+rj6g1bhRIBzKmKepQiEuQbMLFkWU8kPP/MfSTmHXV6GkUl7c3u +kS8whk3b0qv3pNUO/ZfmjXPLOdK5VtZ5LjOOLFQEwrnKJ/4U5kMU0yWdiYIuU0zU1 o6h3rxrsWpoxixiiYA7IR9vbW4ts6e+IfXCaqYCnFVuq1IrpHlFQnFrIdnYotW4amP tctJUUiSf8GnoN2fWLmDX1cEu4BFZa1g9fk3Zj++EsTrJAFt+5aEMpn9eTy02rpQW4 d+nxECahVHgOyrydzdGuJx/y8m/jXnlpP6vmUY8i9dV7RtjIfnHtZrMvtK3c3GfATl e/2etEQTQntiQ== Message-ID: Subject: Re: [PATCH v0] mctp: defer the kfree of object mdev->addrs From: Jeremy Kerr To: Lin Ma , matt@codeconstruct.com.au, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Date: Tue, 26 Apr 2022 11:30:08 +0800 In-Reply-To: <20220422114340.32346-1-linma@zju.edu.cn> References: <20220422114340.32346-1-linma@zju.edu.cn> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.44.0-1 MIME-Version: 1.0 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Lin, > The function mctp_unregister() reclaims the device's relevant resource > when a netcard detaches. However, a running routine may be unaware of > this and cause the use-after-free of the mdev->addrs object. [...] > To this end, just like the commit e04480920d1e ("Bluetooth: defer > cleanup of resources in hci_unregister_dev()")=C2=A0 this patch defers th= e > destructive kfree(mdev->addrs) in mctp_unregister to the mctp_dev_put, > where the refcount of mdev is zero and the entire device is reclaimed. > This prevents the use-after-free because the sendmsg thread holds the > reference of mdev in the mctp_route object. Looks good to me, thanks for checking this out. We could also check out the semantics of ->addrs over a release (perhaps we should clear addresses immediately with the write lock held?), but that would be best done as a separate change. So: Acked-by: Jeremy Kerr Cheers, Jeremy