From patchwork Tue Jul 14 06:24:56 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Lothar_Wa=C3=9Fmann?= X-Patchwork-Id: 29756 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@bilbo.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from ozlabs.org (ozlabs.org [203.10.76.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mx.ozlabs.org", Issuer "CA Cert Signing Authority" (verified OK)) by bilbo.ozlabs.org (Postfix) with ESMTPS id 48E2BB708D for ; Tue, 14 Jul 2009 16:25:41 +1000 (EST) Received: by ozlabs.org (Postfix) id 3A179DDDD4; Tue, 14 Jul 2009 16:25:41 +1000 (EST) Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id C8D3FDDDA0 for ; Tue, 14 Jul 2009 16:25:40 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753646AbZGNGZO (ORCPT ); Tue, 14 Jul 2009 02:25:14 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753572AbZGNGZL (ORCPT ); Tue, 14 Jul 2009 02:25:11 -0400 Received: from mail.karo-electronics.de ([81.173.242.67]:50416 "EHLO mail.karo-electronics.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753545AbZGNGZJ (ORCPT ); Tue, 14 Jul 2009 02:25:09 -0400 Received: from lothar by ipc1.ka-ro with local (Exim 4.63 #1 (Debian)) id 1MQbRg-0002vx-95; Tue, 14 Jul 2009 08:24:56 +0200 Message-ID: <19036.9400.263297.330963@ipc1.ka-ro> Date: Tue, 14 Jul 2009 08:24:56 +0200 From: =?iso-8859-15?q?Lothar_Wa=DFmann?= To: Oliver Hartkopp Cc: Herbert Xu , davem@davemloft.net, netdev@vger.kernel.org, urs.thuermann@volkswagen.de, Urs Thuermann Subject: Re: use after free bug in socket code In-Reply-To: <4A5B730B.8090902@hartkopp.net> References: <19028.16049.907160.45293@ipc1.ka-ro> <20090709154533.GA27413@gondor.apana.org.au> <19035.23045.386506.297464@ipc1.ka-ro> <4A5B730B.8090902@hartkopp.net> X-Mailer: VM 7.19 under Emacs 21.4.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Hi, Oliver Hartkopp writes: > unfortunately i did not get any answer from Urs so far, who originally created > these lines of code. > > But from what i was able to get from browsing similar code in the Kernel that > at least sock_orphan() is called in the appropriate socket release functions, > which is indeed not done by the mentioned PF_CAN protocols right now. > > I assume you already tested this patch (at least with CAN_RAW) successfully, > right? > Yes. > If so, i would have no objections to add my Acked-by to these changes. > > Would you like to prepare a proper patch and post it on netdev? > I'll do. I would also submit a second patch to add an appropriate MODULE_ALIAS to the protocol drivers, so they can be autoloaded when compiled as module: > ps. This code section was stable for more than three years now. Can you tell > me, how you kicked your system to run into this problem? > I was working on a chip driver for the i.MX25 flexcan controller. The bug was visible due to CONFIG_DEBUG_SLAB=y which makes sure that memory is poisoned with a special pattern upon being freed. The situation where this triggers a bug is when the chip driver's hard_start_xmit function returns a NETDEV_TX_BUSY and subsequently the can interface is deconfigured. Maybe you could try this on different hardware? Lothar Waßmann Acked-by: Oliver Hartkopp diff -ur linux-2.6.30/net/can/bcm.c linux-2.6.30-karo/net/can/bcm.c --- linux-2.6.30/net/can/bcm.c 2009-06-10 05:05:27.000000000 +0200 +++ linux-2.6.30-karo/net/can/bcm.c 2009-07-12 20:12:38.000000000 +0200 @@ -75,6 +75,7 @@ MODULE_DESCRIPTION("PF_CAN broadcast manager protocol"); MODULE_LICENSE("Dual BSD/GPL"); MODULE_AUTHOR("Oliver Hartkopp "); +MODULE_ALIAS("can-proto-2"); /* easy access to can_frame payload */ static inline u64 GET_U64(const struct can_frame *cp) diff -ur linux-2.6.30/net/can/raw.c linux-2.6.30-karo/net/can/raw.c --- linux-2.6.30/net/can/raw.c 2009-06-10 05:05:27.000000000 +0200 +++ linux-2.6.30-karo/net/can/raw.c 2009-07-12 20:12:29.000000000 +0200 @@ -62,6 +62,7 @@ MODULE_DESCRIPTION("PF_CAN raw protocol"); MODULE_LICENSE("Dual BSD/GPL"); MODULE_AUTHOR("Urs Thuermann "); +MODULE_ALIAS("can-proto-1"); #define MASK_ALL 0