net/rtdev: Commit e972e78e reintroduces memory corruption fixed by 74464ee3

Jan Kiszka jan.kiszka at siemens.com
Fri Mar 8 13:55:05 CET 2019


On 08.03.19 13:47, Jouko Haapaluoma wrote:
> Hello
> 
> I have been investigating kernel memory corruption issues in our system (Xenomai 2.6.4 and RTnet 0.9.13.2).
> I traced the root cause into the rtdev_map_rtskb() function where a linked list is always grown but not shrinked.
> You have recently created a patch that fixes this: 74464ee3.
> 
> Additionally, there seemed to be a regression and that was fixed in e972e78e. However, this regression fix
> reintroduces the memory corruption in cases where the rtdev does not have the rtdev->map_rtskb function defined.
> Therefore we end up in the situation that was before the 74464ee3: The rtskb_mapwait_list will grow but not shrink.
> If sockets are destroyed and recreated, the rtskb_mapwait_list->next will point to a destroyed skb object which causes a
> use-after-free memory corruption when calling list_add().

Hmpf, right, too bad.

I suppose we should be fine by dropping the rtskb from the waitlist in 
rtdev_unmap_rtskb if it had no dma address set.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux



More information about the Xenomai mailing list