net/rtdev: Commit e972e78e reintroduces memory corruption fixed by 74464ee3
jan.kiszka at siemens.com
Fri Mar 8 13:55:05 CET 2019
On 08.03.19 13:47, Jouko Haapaluoma wrote:
> I have been investigating kernel memory corruption issues in our system (Xenomai 2.6.4 and RTnet 0.9.13.2).
> I traced the root cause into the rtdev_map_rtskb() function where a linked list is always grown but not shrinked.
> You have recently created a patch that fixes this: 74464ee3.
> Additionally, there seemed to be a regression and that was fixed in e972e78e. However, this regression fix
> reintroduces the memory corruption in cases where the rtdev does not have the rtdev->map_rtskb function defined.
> Therefore we end up in the situation that was before the 74464ee3: The rtskb_mapwait_list will grow but not shrink.
> If sockets are destroyed and recreated, the rtskb_mapwait_list->next will point to a destroyed skb object which causes a
> use-after-free memory corruption when calling list_add().
Hmpf, right, too bad.
I suppose we should be fine by dropping the rtskb from the waitlist in
rtdev_unmap_rtskb if it had no dma address set.
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
More information about the Xenomai