Re: [PATCH v0] mctp: defer the kfree of object mdev->addrs

From: Jeremy Kerr
Date: Mon Apr 25 2022 - 23:30:55 EST

Next message: Guenter Roeck: "Re: [PATCH v2 1/3] watchdog: wdat_wdg: Using the existed function to check parameter timeout"
Previous message: Nishanth Menon: "Re: [PATCH 1/6] dt-bindings: ti,sci: Add ti,ctx-memory-region property"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH v0] mctp: defer the kfree of object mdev->addrs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Lin,

> The function mctp_unregister() reclaims the device's relevant resource
> when a netcard detaches. However, a running routine may be unaware of
> this and cause the use-after-free of the mdev->addrs object.

[...]

> To this end, just like the commit e04480920d1e ("Bluetooth: defer
> cleanup of resources in hci_unregister_dev()") this patch defers the
> destructive kfree(mdev->addrs) in mctp_unregister to the mctp_dev_put,
> where the refcount of mdev is zero and the entire device is reclaimed.
> This prevents the use-after-free because the sendmsg thread holds the
> reference of mdev in the mctp_route object.

Looks good to me, thanks for checking this out.

We could also check out the semantics of ->addrs over a release (perhaps
we should clear addresses immediately with the write lock held?), but
that would be best done as a separate change.

So:

Acked-by: Jeremy Kerr <jk@xxxxxxxxxxxxxxxxxxxx>

Cheers,

Jeremy

Next message: Guenter Roeck: "Re: [PATCH v2 1/3] watchdog: wdat_wdg: Using the existed function to check parameter timeout"
Previous message: Nishanth Menon: "Re: [PATCH 1/6] dt-bindings: ti,sci: Add ti,ctx-memory-region property"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH v0] mctp: defer the kfree of object mdev->addrs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]