Re: [PATCH v0] mctp: defer the kfree of object mdev->addrs

From: patchwork-bot+netdevbpf
Date: Tue Apr 26 2022 - 03:50:32 EST

Next message: Adrian Hunter: "Re: [PATCH V5 2/5] mmc: sdhci: Capture eMMC and SD card errors"
Previous message: Chen, Rong A: "Re: [broonie-sound:for-5.19 88/98] sound/soc/soc-acpi.c:58:36: warning: initialization of 'struct acpi_device *' from 'int' makes pointer from integer without a cast"
In reply to: Jeremy Kerr: "Re: [PATCH v0] mctp: defer the kfree of object mdev->addrs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello:

This patch was applied to netdev/net.git (master)
by Paolo Abeni <pabeni@xxxxxxxxxx>:

On Fri, 22 Apr 2022 19:43:40 +0800 you wrote:
> The function mctp_unregister() reclaims the device's relevant resource
> when a netcard detaches. However, a running routine may be unaware of
> this and cause the use-after-free of the mdev->addrs object.
>
> The race condition can be demonstrated below
>
> cleanup thread another thread
> |
> unregister_netdev() | mctp_sendmsg()
> ... | ...
> mctp_unregister() | rt = mctp_route_lookup()
> ... | mctl_local_output()
> kfree(mdev->addrs) | ...
> | saddr = rt->dev->addrs[0];
> |
>
> [...]

Here is the summary with links:
- [v0] mctp: defer the kfree of object mdev->addrs
https://git.kernel.org/netdev/net/c/b561275d633b

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Next message: Adrian Hunter: "Re: [PATCH V5 2/5] mmc: sdhci: Capture eMMC and SD card errors"
Previous message: Chen, Rong A: "Re: [broonie-sound:for-5.19 88/98] sound/soc/soc-acpi.c:58:36: warning: initialization of 'struct acpi_device *' from 'int' makes pointer from integer without a cast"
In reply to: Jeremy Kerr: "Re: [PATCH v0] mctp: defer the kfree of object mdev->addrs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]