subject:"\[PATCH\] netvsc\: fix use\-after\-free in netvsc_change

Re: [PATCH] netvsc: fix use-after-free in netvsc_change_mtu()

2017-03-02 Thread David Miller

From: Dexuan Cui 
Date: Thu, 2 Mar 2017 13:00:53 +

> 'nvdev' is freed in rndis_filter_device_remove -> netvsc_device_remove ->
> free_netvsc_device, so we mustn't access it, before it's re-created in
> rndis_filter_device_add -> netvsc_device_add.
> 
> Signed-off-by: Dexuan Cui 

Applied.

Re: [PATCH] netvsc: fix use-after-free in netvsc_change_mtu()

2017-03-02 Thread Stephen Hemminger

On Thu, 2 Mar 2017 13:00:53 +
Dexuan Cui  wrote:

> 'nvdev' is freed in rndis_filter_device_remove -> netvsc_device_remove ->
> free_netvsc_device, so we mustn't access it, before it's re-created in
> rndis_filter_device_add -> netvsc_device_add.
> 
> Signed-off-by: Dexuan Cui 
> Cc: "K. Y. Srinivasan" 
> Cc: Haiyang Zhang 
> Cc: Stephen Hemminger 

Reviewed-by: Stephen Hemminger

[PATCH] netvsc: fix use-after-free in netvsc_change_mtu()

2017-03-02 Thread Dexuan Cui

'nvdev' is freed in rndis_filter_device_remove -> netvsc_device_remove ->
free_netvsc_device, so we mustn't access it, before it's re-created in
rndis_filter_device_add -> netvsc_device_add.

Signed-off-by: Dexuan Cui 
Cc: "K. Y. Srinivasan" 
Cc: Haiyang Zhang 
Cc: Stephen Hemminger 
---
 drivers/net/hyperv/netvsc_drv.c | 15 +++
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
index 2d3cdb0..bc05c89 100644
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -859,15 +859,22 @@ static int netvsc_change_mtu(struct net_device *ndev, int 
mtu)
if (ret)
goto out;
 
+   memset(_info, 0, sizeof(device_info));
+   device_info.ring_size = ring_size;
+   device_info.num_chn = nvdev->num_chn;
+   device_info.max_num_vrss_chns = nvdev->num_chn;
+
ndevctx->start_remove = true;
rndis_filter_device_remove(hdev, nvdev);
 
+   /* 'nvdev' has been freed in rndis_filter_device_remove() ->
+* netvsc_device_remove () -> free_netvsc_device().
+* We mustn't access it before it's re-created in
+* rndis_filter_device_add() -> netvsc_device_add().
+*/
+
ndev->mtu = mtu;
 
-   memset(_info, 0, sizeof(device_info));
-   device_info.ring_size = ring_size;
-   device_info.num_chn = nvdev->num_chn;
-   device_info.max_num_vrss_chns = nvdev->num_chn;
rndis_filter_device_add(hdev, _info);
 
 out:
-- 
2.7.4

Re: [PATCH] netvsc: fix use-after-free in netvsc_change_mtu()

Re: [PATCH] netvsc: fix use-after-free in netvsc_change_mtu()

[PATCH] netvsc: fix use-after-free in netvsc_change_mtu()

3 matches

Site Navigation

Mail list logo

Footer information