Re: [PATCH net] tun: fix use after free for ptr_ring

On Wed, May 09, 2018 at 02:59:58PM +0800, Jason Wang wrote: > We used to initialize ptr_ring during TUNSETIFF, this is because its > size depends on the tx_queue_len of netdevice. And we try to clean it > up when socket were detached from netdevice. A race were spotted when > trying to do uninit

Re: [PATCH net] tun: fix use after free for ptr_ring

On 2018年05月11日 02:08, Cong Wang wrote: On Tue, May 8, 2018 at 11:59 PM, Jason Wang wrote: We used to initialize ptr_ring during TUNSETIFF, this is because its size depends on the tx_queue_len of netdevice. And we try to clean it up when socket were detached from

Re: [PATCH net] tun: fix use after free for ptr_ring

On Tue, May 8, 2018 at 11:59 PM, Jason Wang wrote: > We used to initialize ptr_ring during TUNSETIFF, this is because its > size depends on the tx_queue_len of netdevice. And we try to clean it > up when socket were detached from netdevice. A race were spotted when > trying

[PATCH net] tun: fix use after free for ptr_ring

We used to initialize ptr_ring during TUNSETIFF, this is because its size depends on the tx_queue_len of netdevice. And we try to clean it up when socket were detached from netdevice. A race were spotted when trying to do uninit during a read which will lead a use after free for pointer ring.