Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> writes: > On 8/13/2018 2:16 PM, Toke Høiland-Jørgensen wrote: >> The TXQ teardown code can reference the vif data structures that are >> stored in the netdev private memory area if there are still packets on >> the queue when it is being freed. Since the TXQ teardown code is run >> after the netdevs are freed, this can lead to a use-after-free. Fix this >> by moving the TXQ teardown code to earlier in ieee80211_unregister_hw(). > > Just off the bat, but from reading the above I am wondering whether > the use-after-free could also happen upon removing an interface? Hmm, there doesn't appear to be *any* teardown of TXQs when an interface is removed...? So I guess that if an interface is removed while it still has frames on the multicast TXQ, that those packets would be left hanging there? I don't think there would be an explicit use-after-free, because they will never get dequeued, so they would just constitute a memory leak? Am I missing some automatic mechanism that always empties out queues before an interface is brought down? -Toke
