tuntap: fix use after free during release

After commit b196d88aba8a ("tun: fix use after free for ptr_ring") we need clean up tx ring during release(). But unfortunately, it tries to do the cleanup blindly after socket were destroyed which will lead another use-after-free. Fix this by doing the cleanup before dropping the last reference of the socket in __tun_detach(). Reported-by: Andrei Vagin <avagin@virtuozzo.com> Acked-by: Andrei Vagin <avagin@virtuozzo.com> Fixes: b196d88aba8a ("tun: fix use after free for ptr_ring") Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Jason Wang <jasowang@redhat.com> 2018-05-16 08:39:33 -0400
committer: David S. Miller <davem@davemloft.net> 2018-05-16 14:53:10 -0400
commit: 7063efd33bb15abc0160347f89eb5aba6b7d000e (patch)
tree: b60645544d7381dd2337323566ed402620d0e163
parent: fee8fb952d1e1c1a60e2017878a16cf83c92c154 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 9fbbb328b95b..d45ac37e1287 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -729,6 +729,7 @@ static void __tun_detach(struct tun_file *tfile, bool clean)
                }
                if (tun)
                        xdp_rxq_info_unreg(&tfile->xdp_rxq);
+                ptr_ring_cleanup(&tfile->tx_ring, tun_ptr_free);
                sock_put(&tfile->sk);
        }
 }
@@ -3245,7 +3246,6 @@ static int tun_chr_close(struct inode *inode, struct file *file)
        struct tun_file *tfile = file->private_data;
        tun_detach(tfile, true);
-        ptr_ring_cleanup(&tfile->tx_ring, tun_ptr_free);
        return 0;
 }
author	Jason Wang <jasowang@redhat.com>	2018-05-16 08:39:33 -0400
committer	David S. Miller <davem@davemloft.net>	2018-05-16 14:53:10 -0400
commit	7063efd33bb15abc0160347f89eb5aba6b7d000e (patch)
tree	b60645544d7381dd2337323566ed402620d0e163
parent	fee8fb952d1e1c1a60e2017878a16cf83c92c154 (diff)