On Fri, Aug 31, 2018 at 02:36:42PM -0700, Zubin Mithra wrote:
> From: Jason Wang <jasowang@xxxxxxxxxx>
>
> commit b196d88aba8ac72b775137854121097f4c4c6862 upstream.
>
> We used to initialize ptr_ring during TUNSETIFF, this is because its
> size depends on the tx_queue_len of netdevice. And we try to clean it
> up when socket were detached from netdevice. A race were spotted when
> trying to do uninit during a read which will lead a use after free for
> pointer ring. Solving this by always initialize a zero size ptr_ring
> in open() and do resizing during TUNSETIFF, and then we can safely do
> cleanup during close(). With this, there's no need for the workaround
> that was introduced by commit 4df0bfc79904 ("tun: fix a memory leak
> for tfile->tx_array").
>
> Backport Note :-
> This is a backport of following 2 upstream patches(the second fixes the
> first).
> b196d88aba ("tun: fix use after free for ptr_ring")
> 7063efd33b ("tuntap: fix use after free during release")
Please backport the two patches individually, do not mush anything
together.
thanks,
greg k-h
