Re: [PATCH net V2] tun: fix use after free for ptr_ring

From: Jason Wang Date: Fri, 11 May 2018 10:49:25 +0800 > We used to initialize ptr_ring during TUNSETIFF, this is because its > size depends on the tx_queue_len of netdevice. And we try to clean it > up when socket were detached from netdevice. A race were spotted when >

Re: [PATCH net V2] tun: fix use after free for ptr_ring

On 2018年05月12日 01:39, Cong Wang wrote: On Thu, May 10, 2018 at 7:49 PM, Jason Wang wrote: static void __tun_detach(struct tun_file *tfile, bool clean) { struct tun_file *ntfile; @@ -736,7 +727,8 @@ static void __tun_detach(struct tun_file *tfile, bool clean)

Re: [PATCH net V2] tun: fix use after free for ptr_ring

From: Jason Wang Date: Fri, 11 May 2018 10:49:25 +0800 > We used to initialize ptr_ring during TUNSETIFF, this is because its > size depends on the tx_queue_len of netdevice. And we try to clean it > up when socket were detached from netdevice. A race were spotted when >

Re: [PATCH net V2] tun: fix use after free for ptr_ring

On Fri, May 11, 2018 at 10:49:25AM +0800, Jason Wang wrote: > We used to initialize ptr_ring during TUNSETIFF, this is because its > size depends on the tx_queue_len of netdevice. And we try to clean it > up when socket were detached from netdevice. A race were spotted when > trying to do uninit

Re: [PATCH net V2] tun: fix use after free for ptr_ring

On Thu, May 10, 2018 at 7:49 PM, Jason Wang wrote: > static void __tun_detach(struct tun_file *tfile, bool clean) > { > struct tun_file *ntfile; > @@ -736,7 +727,8 @@ static void __tun_detach(struct tun_file *tfile, bool > clean) >

[PATCH net V2] tun: fix use after free for ptr_ring

We used to initialize ptr_ring during TUNSETIFF, this is because its size depends on the tx_queue_len of netdevice. And we try to clean it up when socket were detached from netdevice. A race were spotted when trying to do uninit during a read which will lead a use after free for pointer ring.