[PATCH v1] selftests/xsk: Avoid use-after-free on ctx

BPF List
 help / color / mirror / Atom feed

* [PATCH v1] selftests/xsk: Avoid use-after-free on ctx
@ 2022-09-01 20:26 Ian Rogers
  2022-09-02  6:15 ` Magnus Karlsson
  2022-09-02 14:00 ` patchwork-bot+netdevbpf
  0 siblings, 2 replies; 3+ messages in thread
From: Ian Rogers @ 2022-09-01 20:26 UTC (permalink / raw)
  To: Björn Töpel, Magnus Karlsson, Maciej Fijalkowski,
	Jonathan Lemon, Alexei Starovoitov, Daniel Borkmann,
	Andrii Nakryiko, Martin KaFai Lau, Song Liu, Yonghong Song,
	John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
	Mykola Lysenko, Shuah Khan, netdev, bpf, linux-kselftest,
	linux-kernel
  Cc: Ian Rogers

The put lowers the reference count to 0 and frees ctx, reading it
afterwards is invalid. Move the put after the uses and determine the
last use by the reference count being 1.

Fixes: 39e940d4abfa ("selftests/xsk: Destroy BPF resources only when ctx refcount drops to 0")
Signed-off-by: Ian Rogers <irogers@google.com>
---
 tools/testing/selftests/bpf/xsk.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/bpf/xsk.c b/tools/testing/selftests/bpf/xsk.c
index f2721a4ae7c5..0b3ff49c740d 100644
--- a/tools/testing/selftests/bpf/xsk.c
+++ b/tools/testing/selftests/bpf/xsk.c
@@ -1237,15 +1237,15 @@ void xsk_socket__delete(struct xsk_socket *xsk)
 	ctx = xsk->ctx;
 	umem = ctx->umem;
 
-	xsk_put_ctx(ctx, true);
-
-	if (!ctx->refcount) {
+	if (ctx->refcount == 1) {
 		xsk_delete_bpf_maps(xsk);
 		close(ctx->prog_fd);
 		if (ctx->has_bpf_link)
 			close(ctx->link_fd);
 	}
 
+	xsk_put_ctx(ctx, true);
+
 	err = xsk_get_mmap_offsets(xsk->fd, &off);
 	if (!err) {
 		if (xsk->rx) {
-- 
2.37.2.789.g6183377224-goog


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH v1] selftests/xsk: Avoid use-after-free on ctx
  2022-09-01 20:26 [PATCH v1] selftests/xsk: Avoid use-after-free on ctx Ian Rogers
@ 2022-09-02  6:15 ` Magnus Karlsson
  2022-09-02 14:00 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: Magnus Karlsson @ 2022-09-02  6:15 UTC (permalink / raw)
  To: Ian Rogers
  Cc: Björn Töpel, Magnus Karlsson, Maciej Fijalkowski,
	Jonathan Lemon, Alexei Starovoitov, Daniel Borkmann,
	Andrii Nakryiko, Martin KaFai Lau, Song Liu, Yonghong Song,
	John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
	Mykola Lysenko, Shuah Khan, netdev, bpf, linux-kselftest,
	linux-kernel

On Thu, Sep 1, 2022 at 10:56 PM Ian Rogers <irogers@google.com> wrote:
>
> The put lowers the reference count to 0 and frees ctx, reading it
> afterwards is invalid. Move the put after the uses and determine the
> last use by the reference count being 1.

Thanks for spotting and fixing this Ian.

Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>

> Fixes: 39e940d4abfa ("selftests/xsk: Destroy BPF resources only when ctx refcount drops to 0")
> Signed-off-by: Ian Rogers <irogers@google.com>
> ---
>  tools/testing/selftests/bpf/xsk.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/tools/testing/selftests/bpf/xsk.c b/tools/testing/selftests/bpf/xsk.c
> index f2721a4ae7c5..0b3ff49c740d 100644
> --- a/tools/testing/selftests/bpf/xsk.c
> +++ b/tools/testing/selftests/bpf/xsk.c
> @@ -1237,15 +1237,15 @@ void xsk_socket__delete(struct xsk_socket *xsk)
>         ctx = xsk->ctx;
>         umem = ctx->umem;
>
> -       xsk_put_ctx(ctx, true);
> -
> -       if (!ctx->refcount) {
> +       if (ctx->refcount == 1) {
>                 xsk_delete_bpf_maps(xsk);
>                 close(ctx->prog_fd);
>                 if (ctx->has_bpf_link)
>                         close(ctx->link_fd);
>         }
>
> +       xsk_put_ctx(ctx, true);
> +
>         err = xsk_get_mmap_offsets(xsk->fd, &off);
>         if (!err) {
>                 if (xsk->rx) {
> --
> 2.37.2.789.g6183377224-goog
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v1] selftests/xsk: Avoid use-after-free on ctx
  2022-09-01 20:26 [PATCH v1] selftests/xsk: Avoid use-after-free on ctx Ian Rogers
  2022-09-02  6:15 ` Magnus Karlsson
@ 2022-09-02 14:00 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-09-02 14:00 UTC (permalink / raw)
  To: Ian Rogers
  Cc: bjorn, magnus.karlsson, maciej.fijalkowski, jonathan.lemon, ast,
	daniel, andrii, martin.lau, song, yhs, john.fastabend, kpsingh,
	sdf, haoluo, jolsa, mykolal, shuah, netdev, bpf, linux-kselftest,
	linux-kernel

Hello:

This patch was applied to bpf/bpf-next.git (master)
by Daniel Borkmann <daniel@iogearbox.net>:

On Thu,  1 Sep 2022 13:26:45 -0700 you wrote:
> The put lowers the reference count to 0 and frees ctx, reading it
> afterwards is invalid. Move the put after the uses and determine the
> last use by the reference count being 1.
> 
> Fixes: 39e940d4abfa ("selftests/xsk: Destroy BPF resources only when ctx refcount drops to 0")
> Signed-off-by: Ian Rogers <irogers@google.com>
> 
> [...]

Here is the summary with links:
  - [v1] selftests/xsk: Avoid use-after-free on ctx
    https://git.kernel.org/bpf/bpf-next/c/af515a5587b8

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-09-02 14:40 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-09-01 20:26 [PATCH v1] selftests/xsk: Avoid use-after-free on ctx Ian Rogers
2022-09-02  6:15 ` Magnus Karlsson
2022-09-02 14:00 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox