From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Dumazet Subject: Re: KASAN: use-after-free Read in __dev_queue_xmit Date: Wed, 9 May 2018 12:36:38 -0700 Message-ID: References: <94eb2c0ce3aa27cfa40561ec2dc3@google.com> <1515048794.131759.4.camel@gmail.com> <20180509073754.GG711@sol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: Eric Dumazet , syzbot , alexander.deucher@amd.com, Andrey Konovalov , Anoob Soman , chris@chris-wilson.co.uk, David Miller , "Reshetova, Elena" , Greg Kroah-Hartman , Kees Cook , LKML , Mike Maloney , mchehab@kernel.org, netdev , "Rosen, Rami" , Sowmini Varadhan , syzkaller-bugs@googlegroups.com, Willem de Bruijn To: Willem de Bruijn , Eric Biggers Return-path: In-Reply-To: Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On 05/09/2018 12:21 PM, Willem de Bruijn wrote: > Indeed. The skb shared info struct is zeroed by dev_validate_header > as a result of dev->hard_header_len exceeding skb->end - skb->data. > > Not exactly sure yet how this can happen. The hard header length space > is accounted for during allocation as reserved memory. But, > packet_alloc_skb does call skb_reserve(), moving skb->data > effectively beyond this reserved region. > > It may be incorrect to pass skb->data to dev_validate_header, as that > does not point to the start of the ll_header anymore. Still figuring out what > the right fix is.. > I believe the bug happens if the sock_wmalloc() call at line 1921 has to sleep. device can change (or at lest dev->hard_header_len can change) So we need to bailout if reserved/hhlen had changed. Or revert some patches, since dev_hold() and dev_put() are no longer high cost, since it is now using per cpu counter.