Re: [PATCH net V2] tun: fix use after free for ptr_ring

From: Cong Wang
Date: Fri May 11 2018 - 13:40:02 EST

Next message: Dmitry Vyukov: "Re: general protection fault in usb_find_alt_setting"
Previous message: Will Deacon: "[GIT PULL] arm64: fixes for -rc5"
In reply to: Jason Wang: "[PATCH net V2] tun: fix use after free for ptr_ring"
Next in thread: Jason Wang: "Re: [PATCH net V2] tun: fix use after free for ptr_ring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 10, 2018 at 7:49 PM, Jason Wang <jasowang@xxxxxxxxxx> wrote:
> static void __tun_detach(struct tun_file *tfile, bool clean)
> {
> struct tun_file *ntfile;
> @@ -736,7 +727,8 @@ static void __tun_detach(struct tun_file *tfile, bool clean)
> tun->dev->reg_state == NETREG_REGISTERED)
> unregister_netdevice(tun->dev);
> }
> - tun_cleanup_tx_ring(tfile);
> + if (tun)
> + xdp_rxq_info_unreg(&tfile->xdp_rxq);
> sock_put(&tfile->sk);
> }
> }
> @@ -783,14 +775,14 @@ static void tun_detach_all(struct net_device *dev)
> tun_napi_del(tun, tfile);
> /* Drop read queue */
> tun_queue_purge(tfile);
> + xdp_rxq_info_unreg(&tfile->xdp_rxq);
> sock_put(&tfile->sk);
> - tun_cleanup_tx_ring(tfile);
> }
> list_for_each_entry_safe(tfile, tmp, &tun->disabled, next) {
> tun_enable_queue(tfile);
> tun_queue_purge(tfile);
> + xdp_rxq_info_unreg(&tfile->xdp_rxq);
> sock_put(&tfile->sk);
> - tun_cleanup_tx_ring(tfile);

Are you sure this is safe?

xdp_rxq_info_unreg() can't be called more than once either,
please make sure the warning that commit c13da21cdb80
("tun: avoid calling xdp_rxq_info_unreg() twice") fixed will not
show up again.

Next message: Dmitry Vyukov: "Re: general protection fault in usb_find_alt_setting"
Previous message: Will Deacon: "[GIT PULL] arm64: fixes for -rc5"
In reply to: Jason Wang: "[PATCH net V2] tun: fix use after free for ptr_ring"
Next in thread: Jason Wang: "Re: [PATCH net V2] tun: fix use after free for ptr_ring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]