From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
Wang Liang <wangliang74@huawei.com>,
willemdebruijn.kernel@gmail.com, jasowang@redhat.com,
andrew+netdev@lunn.ch, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
ast@kernel.org, daniel@iogearbox.net, hawk@kernel.org,
john.fastabend@gmail.com, sdf@fomichev.me, lorenzo@kernel.org,
toke@redhat.com
Cc: yuehaibing@huawei.com, zhangchangzhong@huawei.com,
wangliang74@huawei.com, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH net] net: tun: Update napi->skb after XDP process
Date: Thu, 18 Sep 2025 18:27:42 -0400 [thread overview]
Message-ID: <willemdebruijn.kernel.548f5be689dc@gmail.com> (raw)
In-Reply-To: <willemdebruijn.kernel.1aca4aa96eb20@gmail.com>
Willem de Bruijn wrote:
> Wang Liang wrote:
> > The syzbot report a UAF issue:
> >
> > BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline]
> > BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline]
> > BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758
> > Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079
> > CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
> > Call Trace:
> > <TASK>
> > dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
> > print_address_description mm/kasan/report.c:378 [inline]
> > print_report+0xca/0x240 mm/kasan/report.c:482
> > kasan_report+0x118/0x150 mm/kasan/report.c:595
> > skb_reset_mac_header include/linux/skbuff.h:3150 [inline]
> > napi_frags_skb net/core/gro.c:723 [inline]
> > napi_gro_frags+0x6e/0x1030 net/core/gro.c:758
> > tun_get_user+0x28cb/0x3e20 drivers/net/tun.c:1920
> > tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996
> > new_sync_write fs/read_write.c:593 [inline]
> > vfs_write+0x5c9/0xb30 fs/read_write.c:686
> > ksys_write+0x145/0x250 fs/read_write.c:738
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > </TASK>
> >
> > Allocated by task 6079:
> > kasan_save_stack mm/kasan/common.c:47 [inline]
> > kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
> > unpoison_slab_object mm/kasan/common.c:330 [inline]
> > __kasan_mempool_unpoison_object+0xa0/0x170 mm/kasan/common.c:558
> > kasan_mempool_unpoison_object include/linux/kasan.h:388 [inline]
> > napi_skb_cache_get+0x37b/0x6d0 net/core/skbuff.c:295
> > __alloc_skb+0x11e/0x2d0 net/core/skbuff.c:657
> > napi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811
> > napi_get_frags+0x69/0x140 net/core/gro.c:673
> > tun_napi_alloc_frags drivers/net/tun.c:1404 [inline]
> > tun_get_user+0x77c/0x3e20 drivers/net/tun.c:1784
> > tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996
> > new_sync_write fs/read_write.c:593 [inline]
> > vfs_write+0x5c9/0xb30 fs/read_write.c:686
> > ksys_write+0x145/0x250 fs/read_write.c:738
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > Freed by task 6079:
> > kasan_save_stack mm/kasan/common.c:47 [inline]
> > kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
> > kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
> > poison_slab_object mm/kasan/common.c:243 [inline]
> > __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275
> > kasan_slab_free include/linux/kasan.h:233 [inline]
> > slab_free_hook mm/slub.c:2422 [inline]
> > slab_free mm/slub.c:4695 [inline]
> > kmem_cache_free+0x18f/0x400 mm/slub.c:4797
> > skb_pp_cow_data+0xdd8/0x13e0 net/core/skbuff.c:969
> > netif_skb_check_for_xdp net/core/dev.c:5390 [inline]
> > netif_receive_generic_xdp net/core/dev.c:5431 [inline]
> > do_xdp_generic+0x699/0x11a0 net/core/dev.c:5499
> > tun_get_user+0x2523/0x3e20 drivers/net/tun.c:1872
> > tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996
> > new_sync_write fs/read_write.c:593 [inline]
> > vfs_write+0x5c9/0xb30 fs/read_write.c:686
> > ksys_write+0x145/0x250 fs/read_write.c:738
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > After commit e6d5dbdd20aa ("xdp: add multi-buff support for xdp running in
> > generic mode"), the original skb may be freed in skb_pp_cow_data() when
> > XDP program was attached, which was allocated in tun_napi_alloc_frags().
> > However, the napi->skb still point to the original skb, update it after
> > XDP process.
> >
> > Reported-by: syzbot+64e24275ad95a915a313@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=64e24275ad95a915a313
> > Fixes: e6d5dbdd20aa ("xdp: add multi-buff support for xdp running in generic mode")
> > Signed-off-by: Wang Liang <wangliang74@huawei.com>
> > ---
> > drivers/net/tun.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> > index cc6c50180663..47ddcb4b9a78 100644
> > --- a/drivers/net/tun.c
> > +++ b/drivers/net/tun.c
> > @@ -1875,6 +1875,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
> > local_bh_enable();
> > goto unlock_frags;
> > }
> > +
> > + if (frags && skb != tfile->napi.skb)
> > + tfile->napi.skb = skb;
>
> This is observed with tun because syzkaller can fuzz napi with that.
> That unfortunately added fuzz test coverage to a combination that is
> not intended for real use: XDP generic before napi frags.
>
> Tun is the only driver that calls do_xdp_generic on a napi.skb and
> later passes this napi to napi_gro_frags.
>
> But this is no longer a napi frags skb on which napi_gro_frags
> (and napi_frags_skb and gro_pull_from_frag0) should be called? As the
> skb now has a linear part. Not sure that the frag0 is still correct.
Never mind this. napi_alloc_skb may also fall back to a regular
__skb_alloc and pass that a napi.skb to napi_gro_frags. Which
reinitializes the NAPI_GRO_CB and with that frag0 accordingly.
next prev parent reply other threads:[~2025-09-18 22:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-17 11:39 [PATCH net] net: tun: Update napi->skb after XDP process Wang Liang
2025-09-18 14:30 ` Willem de Bruijn
2025-09-18 22:27 ` Willem de Bruijn [this message]
2025-09-19 14:46 ` Willem de Bruijn
2025-09-19 23:50 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=willemdebruijn.kernel.548f5be689dc@gmail.com \
--to=willemdebruijn.kernel@gmail.com \
--cc=andrew+netdev@lunn.ch \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hawk@kernel.org \
--cc=jasowang@redhat.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lorenzo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@fomichev.me \
--cc=toke@redhat.com \
--cc=wangliang74@huawei.com \
--cc=yuehaibing@huawei.com \
--cc=zhangchangzhong@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.