Re: [PATCH] net: Fix potential NULL pointer dereference in __skb_try_recv_datagram

Mon, 04 Jan 2016 08:46:32 -0800 

On Mon, 2016-01-04 at 16:14 +0000, Rainer Weikusat wrote:
> Eric Dumazet <eric.duma...@gmail.com> writes:
> > On Mon, 2016-01-04 at 10:10 +0100, Jacob Siverskog wrote:
> 
> [...]
> 
> >> I believe the crash occurred between these two actions. I just saw
> >> that there are some interesting events in the log prior to the crash:
> >> kernel: Bluetooth: Unable to push skb to HCI core(-6)
> >> kernel: (stc):  proto stack 4's ->recv failed
> >> kernel: (stc): remove_channel_from_table: id 3
> >> kernel: (stc): remove_channel_from_table: id 2
> >> kernel: (stc): remove_channel_from_table: id 4
> >> kernel: (stc):  all chnl_ids unregistered
> >> kernel: (stk) :ldisc_install = 0(stc): st_tty_close
> >> 
> >> The first print is from btwilink.c. However, I can't see the
> >> connection between Bluetooth (BLE) and UDP/IPv6 (we're not using
> >> 6LoWPAN or anything similar).
> >> 
> >> Thanks, Jacob
> >
> > Definitely these details are useful ;)
> >
> > Could you try :
> >
> > diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c
> > index 6e3af8b42cdd..0c99a74fb895 100644
> > --- a/drivers/misc/ti-st/st_core.c
> > +++ b/drivers/misc/ti-st/st_core.c
> > @@ -912,7 +912,9 @@ void st_core_exit(struct st_data_s *st_gdata)
> >             skb_queue_purge(&st_gdata->txq);
> >             skb_queue_purge(&st_gdata->tx_waitq);
> >             kfree_skb(st_gdata->rx_skb);
> > +           st_gdata->rx_skb = NULL;
> >             kfree_skb(st_gdata->tx_skb);
> > +           st_gdata->tx_skb = NULL;
> >             /* TTY ldisc cleanup */
> >             err = tty_unregister_ldisc(N_TI_WL);
> >             if (err)
> 
> Hmm ... the code continues with
> 
>               err = tty_unregister_ldisc(N_TI_WL);
>               if (err)
>                       pr_err("unable to un-register ldisc %ld", err);
>               /* free the global data pointer */
>               kfree(st_gdata);
> 
> So who would ever see that the rx_skb and tx_skb pointers were cleared
> prior to freeing the data structure containing them?

This is the theory, but I suspect a use after free.

kfree(st_gdata) does not clear all content with 0, unless you use
special SLUB/SLAB debugging features.



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to