From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9364DC71150 for ; Thu, 29 Aug 2024 00:07:26 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.785303.1194726 (Exim 4.92) (envelope-from ) id 1sjSgp-0004Um-IX; Thu, 29 Aug 2024 00:07:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 785303.1194726; Thu, 29 Aug 2024 00:07:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1sjSgp-0004Uf-Es; Thu, 29 Aug 2024 00:07:03 +0000 Received: by outflank-mailman (input) for mailman id 785303; Thu, 29 Aug 2024 00:07:02 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1sjSgo-0004UZ-9C for xen-devel@lists.xenproject.org; Thu, 29 Aug 2024 00:07:02 +0000 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 9cb47982-659a-11ef-99a0-01e77a169b0f; Thu, 29 Aug 2024 02:07:00 +0200 (CEST) Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by ams.source.kernel.org (Postfix) with ESMTP id 1BB33AE40C3; Thu, 29 Aug 2024 00:06:54 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9796EC4CEC0; Thu, 29 Aug 2024 00:06:58 +0000 (UTC) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 9cb47982-659a-11ef-99a0-01e77a169b0f DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1724890019; bh=0KBomtwl5htJf2KliDq8qRkg58AM7cR5JxLbBwVmD/M=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=LmZLwx+POZ+ZZEuXHKVyWVVwSDgrJjSJCUR3aUrxypd4Z4wK+wbPf9EJE/+P7brK+ SxbhLDYEJtEpBdkHd8ZwKsdkFWzDjPHxwjPdbkJNS2jfBZv5jzatoqnUiz0zEG28tw hjUYhdxihOCJgq/u8k3cQcEl7ih41Mn0OJWPBDGbgcpU1aJFA1pEtVgtDBWDmAU/l3 SHsHnTvjwc7rGXVGqyuHpCidavb1xuTXQKYBS481Y30pxpCGAw1EwM2rQcFNZH6mAD r6TnzILRj+UQJyfdOrc8aBAzwzd0JC9nICmjlULt7mfWsJxiVe4VWmakJOCcMTOr0t Sn0irpBpH5afg== Date: Wed, 28 Aug 2024 17:06:57 -0700 From: Jakub Kicinski To: Jeongjun Park Cc: Paolo Abeni , wei.liu@kernel.org, paul@xen.org, davem@davemloft.net, edumazet@google.com, madhuparnabhowmik04@gmail.com, xen-devel@lists.xenproject.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH net] net/xen-netback: prevent UAF in xenvif_flush_hash() Message-ID: <20240828170657.5f493cc6@kernel.org> In-Reply-To: References: <20240822181109.2577354-1-aha310510@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 28 Aug 2024 21:52:12 +0900 Jeongjun Park wrote: > > The loop runs with irq disabled, the RCU critical section extends over > > it, uninterrupted. > > Basically, list_for_each_entry_rcu is specified to be used under the protection > of rcu_read_lock(), but this is not the case with xenvif_new_hash(). If it is > used without the protection of rcu_read_lock(), kfree is called immediately > after the grace period ends after the call to kfree_rcu() inside > list_for_each_entry_rcu, so the entry is released, and a UAF occurs when > fetching with ->next thereafter. You cut off and didn't answer Paolo's question whether you have a splat / saw this actually cause a crash or a KASAN warning.