[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCHv2 3/3] xen-netback: free queues after freeing the net device

To: <netdev@xxxxxxxxxxxxxxx>
From: David Vrabel <david.vrabel@xxxxxxxxxx>
Date: Fri, 15 Jan 2016 14:55:36 +0000
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Wei Liu <wei.liu2@xxxxxxxxxx>, David Vrabel <david.vrabel@xxxxxxxxxx>, Ian Campbell <ian.campbell@xxxxxxxxxx>
Delivery-date: Fri, 15 Jan 2016 14:55:48 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

If a queue still has a NAPI instance added to the net device, freeing
the queues early results in a use-after-free.

The shouldn't ever happen because we disconnect and tear down all queues
before freeing the net device, but doing this makes it obviously safe.

Signed-off-by: David Vrabel <david.vrabel@xxxxxxxxxx>
---
 drivers/net/xen-netback/interface.c | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/drivers/net/xen-netback/interface.c 
b/drivers/net/xen-netback/interface.c
index 3bba6ce..f5231a2 100644
--- a/drivers/net/xen-netback/interface.c
+++ b/drivers/net/xen-netback/interface.c
@@ -685,22 +685,16 @@ void xenvif_deinit_queue(struct xenvif_queue *queue)
 
 void xenvif_free(struct xenvif *vif)
 {
-       struct xenvif_queue *queue = NULL;
+       struct xenvif_queue *queues = vif->queues;
        unsigned int num_queues = vif->num_queues;
        unsigned int queue_index;
 
        unregister_netdev(vif->dev);
-
-       for (queue_index = 0; queue_index < num_queues; ++queue_index) {
-               queue = &vif->queues[queue_index];
-               xenvif_deinit_queue(queue);
-       }
-
-       vfree(vif->queues);
-       vif->queues = NULL;
-       vif->num_queues = 0;
-
        free_netdev(vif->dev);
 
+       for (queue_index = 0; queue_index < num_queues; ++queue_index)
+               xenvif_deinit_queue(&queues[queue_index]);
+       vfree(queues);
+
        module_put(THIS_MODULE);
 }
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCHv2 0/3 net] xen-netback: use skb to determine number of required (etc.)
  - From: David Vrabel

Prev by Date: [Xen-devel] [PATCHv2 2/3] xen-netback: delete NAPI instance when queue fails to initialize
Next by Date: Re: [Xen-devel] [PATCH] QEMU as non-root and PCI passthrough do not mix
Previous by thread: [Xen-devel] [PATCHv2 2/3] xen-netback: delete NAPI instance when queue fails to initialize
Next by thread: Re: [Xen-devel] [PATCHv2 0/3 net] xen-netback: use skb to determine number of required (etc.)
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.