From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jesper Dangaard Brouer Subject: Re: [PATCH net] tun: Fix use-after-free on XDP_TX Date: Fri, 13 Jul 2018 07:57:07 +0200 Message-ID: <20180713075707.799818ec@redhat.com> References: <1531455878-2552-1-git-send-email-makita.toshiaki@lab.ntt.co.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Cc: Toshiaki Makita , "David S . Miller" , netdev@vger.kernel.org, brouer@redhat.com To: Jason Wang Return-path: Received: from mx3-rdu2.redhat.com ([66.187.233.73]:38328 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726389AbeGMGKR (ORCPT ); Fri, 13 Jul 2018 02:10:17 -0400 In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: On Fri, 13 Jul 2018 13:05:04 +0800 Jason Wang wrote: > On 2018年07月13日 12:24, Toshiaki Makita wrote: > > On XDP_TX we need to free up the frame only when tun_xdp_tx() returns a > > negative value. A positive value indicates that the packet is > > successfully enqueued to the ptr_ring, so freeing the page causes > > use-after-free. > > > > Fixes: 735fc4054b3a ("xdp: change ndo_xdp_xmit API to support bulking") > > Signed-off-by: Toshiaki Makita > > --- > > drivers/net/tun.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/net/tun.c b/drivers/net/tun.c > > index a192a01..f5727ba 100644 > > --- a/drivers/net/tun.c > > +++ b/drivers/net/tun.c > > @@ -1688,7 +1688,7 @@ static struct sk_buff *tun_build_skb(struct tun_struct *tun, > > case XDP_TX: > > get_page(alloc_frag->page); > > alloc_frag->offset += buflen; > > - if (tun_xdp_tx(tun->dev, &xdp)) > > + if (tun_xdp_tx(tun->dev, &xdp) < 0) > > goto err_redirect; > > rcu_read_unlock(); > > local_bh_enable(); > > Acked-by: Jason Wang Acked-by: Jesper Dangaard Brouer Thanks for catching and fixing this! -- Best regards, Jesper Dangaard Brouer MSc.CS, Principal Kernel Engineer at Red Hat LinkedIn: http://www.linkedin.com/in/brouer