Thread (2 messages) 2 messages, 2 authors, 2022-02-18

Re: [PATCH V3] drivers: hamradio: 6pack: fix UAF bug caused by mod_timer()

From: patchwork-bot+netdevbpf@kernel.org
Date: 2022-02-18 11:00:17
Also in: linux-hams, lkml

Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller [off-list ref]:

On Thu, 17 Feb 2022 09:43:03 +0800 you wrote:
When a 6pack device is detaching, the sixpack_close() will act to cleanup
necessary resources. Although del_timer_sync() in sixpack_close()
won't return if there is an active timer, one could use mod_timer() in
sp_xmit_on_air() to wake up timer again by calling userspace syscall such
as ax25_sendmsg(), ax25_connect() and ax25_ioctl().

This unexpected waked handler, sp_xmit_on_air(), realizes nothing about
the undergoing cleanup and may still call pty_write() to use driver layer
resources that have already been released.

[...]
Here is the summary with links:
  - [V3] drivers: hamradio: 6pack: fix UAF bug caused by mod_timer()
    https://git.kernel.org/netdev/net/c/efe4186e6a1b

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help