| Message ID | 1566577920-20956-1-git-send-email-loyou85@gmail.com |
|---|---|
| State | Changes Requested |
| Delegated to: | David Miller |
| Headers | show |
| Series | net: fix skb use after free in netpoll_send_skb_on_dev | expand |
From: Feng Sun <loyou85@gmail.com> Date: Sat, 24 Aug 2019 00:32:00 +0800 > After commit baeababb5b85d5c4e6c917efe2a1504179438d3b > ("tun: return NET_XMIT_DROP for dropped packets"), > when tun_net_xmit drop packets, it will free skb and return NET_XMIT_DROP, > netpoll_send_skb_on_dev will run into two use after free cases: I don't know what to do here. Really, the intention of the design is that the only valid ->ndo_start_xmit() values are those with macro names fitting the pattern NETDEV_TX_*, which means only NETDEV_TX_OK and NETDEV_TX_BUSY are valid. NET_XMIT_* values are for qdisc ->enqueue() methods. Note, particularly, that when ->ndo_start_xmit() values are propagated through ->enqueue() calls they get masked out with NET_XMIT_MASK. However, I see that most of the code doing enqueueing and invocation of ->ndo_start_xmit() use the dev_xmit_complete() helper to check this condition. So probably that is what netpoll should be using as well.
diff --git a/net/core/netpoll.c b/net/core/netpoll.c index 2cf27da..b4bffe6 100644 --- a/net/core/netpoll.c +++ b/net/core/netpoll.c @@ -335,7 +335,7 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb, HARD_TX_UNLOCK(dev, txq); - if (status == NETDEV_TX_OK) + if (status == NETDEV_TX_OK || status == NET_XMIT_DROP) break; } @@ -352,7 +352,7 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb, } - if (status != NETDEV_TX_OK) { + if (status != NETDEV_TX_OK && status != NET_XMIT_DROP) { skb_queue_tail(&npinfo->txq, skb); schedule_delayed_work(&npinfo->tx_work,0); }
After commit baeababb5b85d5c4e6c917efe2a1504179438d3b ("tun: return NET_XMIT_DROP for dropped packets"), when tun_net_xmit drop packets, it will free skb and return NET_XMIT_DROP, netpoll_send_skb_on_dev will run into two use after free cases: 1. retry netpoll_start_xmit with freed skb; 2. queue freed skb in npinfo->txq. hit the first case with following kernel log: [ 117.864773] kernel BUG at mm/slub.c:306! [ 117.864773] invalid opcode: 0000 [#1] SMP PTI [ 117.864774] CPU: 3 PID: 2627 Comm: loop_printmsg Kdump: loaded Tainted: P OE 5.3.0-050300rc5-generic #201908182231 [ 117.864775] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 117.864775] RIP: 0010:kmem_cache_free+0x28d/0x2b0 [ 117.864781] Call Trace: [ 117.864781] ? tun_net_xmit+0x21c/0x460 [ 117.864781] kfree_skbmem+0x4e/0x60 [ 117.864782] kfree_skb+0x3a/0xa0 [ 117.864782] tun_net_xmit+0x21c/0x460 [ 117.864782] netpoll_start_xmit+0x11d/0x1b0 [ 117.864788] netpoll_send_skb_on_dev+0x1b8/0x200 [ 117.864789] __br_forward+0x1b9/0x1e0 [bridge] [ 117.864789] ? skb_clone+0x53/0xd0 [ 117.864790] ? __skb_clone+0x2e/0x120 [ 117.864790] deliver_clone+0x37/0x50 [bridge] [ 117.864790] maybe_deliver+0x89/0xc0 [bridge] [ 117.864791] br_flood+0x6c/0x130 [bridge] [ 117.864791] br_dev_xmit+0x315/0x3c0 [bridge] [ 117.864792] netpoll_start_xmit+0x11d/0x1b0 [ 117.864792] netpoll_send_skb_on_dev+0x1b8/0x200 [ 117.864792] netpoll_send_udp+0x2c6/0x3e8 [ 117.864793] write_msg+0xd9/0xf0 [netconsole] [ 117.864793] console_unlock+0x386/0x4e0 [ 117.864793] vprintk_emit+0x17e/0x280 [ 117.864794] vprintk_default+0x29/0x50 [ 117.864794] vprintk_func+0x4c/0xbc [ 117.864794] printk+0x58/0x6f [ 117.864795] loop_fun+0x24/0x41 [printmsg_loop] [ 117.864795] kthread+0x104/0x140 [ 117.864795] ? 0xffffffffc05b1000 [ 117.864796] ? kthread_park+0x80/0x80 [ 117.864796] ret_from_fork+0x35/0x40 Signed-off-by: Feng Sun <loyou85@gmail.com> Signed-off-by: Xiaojun Zhao <xiaojunzhao141@gmail.com> --- net/core/netpoll.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)