Patrick McHardy
2008-Jul-02 13:04 UTC
[Bridge] bridge: fix use-after-free in br_cleanup_bridges()
-------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: x Url: http://lists.linux-foundation.org/pipermail/bridge/attachments/20080702/0f2a7607/attachment.txt
Stephen Hemminger
2008-Jul-02 16:48 UTC
[Bridge] bridge: fix use-after-free in br_cleanup_bridges()
On Wed, 02 Jul 2008 15:04:14 +0200 Patrick McHardy <kaber at trash.net> wrote:> commit 96f1dd78dad10d61bdd487edadea6adda5425e4c > Author: Patrick McHardy <kaber at trash.net> > Date: Wed Jul 2 15:02:23 2008 +0200 > > bridge: fix use-after-free in br_cleanup_bridges() > > Unregistering a bridge device may cause virtual devices stacked on the > bridge, like vlan or macvlan devices, to be unregistered as well. > br_cleanup_bridges() uses for_each_netdev_safe() to iterate over all > devices during cleanup. This is not enough however, if one of the > additionally unregistered devices is next in the list to the bridge > device, it will get freed as well and the iteration continues on > the freed element. > > Restart iteration after each bridge device removal from the beginning to > fix this, similar to what rtnl_link_unregister() does. > > Signed-off-by: Patrick McHardy <kaber at trash.net>Acked-by: Stephen Hemminger <shemminger at vyatta.com>
David Miller
2008-Jul-03 10:54 UTC
[Bridge] bridge: fix use-after-free in br_cleanup_bridges()
From: Stephen Hemminger <shemminger at vyatta.com> Date: Wed, 2 Jul 2008 09:48:17 -0700> On Wed, 02 Jul 2008 15:04:14 +0200 > Patrick McHardy <kaber at trash.net> wrote: > > > commit 96f1dd78dad10d61bdd487edadea6adda5425e4c > > Author: Patrick McHardy <kaber at trash.net> > > Date: Wed Jul 2 15:02:23 2008 +0200 > > > > bridge: fix use-after-free in br_cleanup_bridges() > > > > Unregistering a bridge device may cause virtual devices stacked on the > > bridge, like vlan or macvlan devices, to be unregistered as well. > > br_cleanup_bridges() uses for_each_netdev_safe() to iterate over all > > devices during cleanup. This is not enough however, if one of the > > additionally unregistered devices is next in the list to the bridge > > device, it will get freed as well and the iteration continues on > > the freed element. > > > > Restart iteration after each bridge device removal from the beginning to > > fix this, similar to what rtnl_link_unregister() does. > > > > Signed-off-by: Patrick McHardy <kaber at trash.net> > > Acked-by: Stephen Hemminger <shemminger at vyatta.com>Applied, thanks everyone.