Received: by 10.192.165.148 with SMTP id m20csp282551imm; Wed, 9 May 2018 12:37:16 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpo/D3FMwptFgbbjt+jvsgtBZMb+UzACrVmee2oDj9z3gIVBTMGPbfgp0RBlGPtPESA+ioi X-Received: by 2002:a63:b344:: with SMTP id x4-v6mr18208773pgt.28.1525894636263; Wed, 09 May 2018 12:37:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525894636; cv=none; d=google.com; s=arc-20160816; b=gzfEMxJb8G6rWEIIjyEY00zBR8D34nLqUBbAuoTLX9Hoz2uCcm3vd8spmlwuZaB1ww 7rwGgndrHeEaf1+lEcpdu8EyCD78cgpLwo7RDVAlWRobJD54u+aNiwbMoxzIg8lWnQnZ oPs4Opl6BVrA2IWFyPTd9uOT2WjR/QJyiYwbEy+0It0QkXcOtmLR+/oUiezOGtIDV1dy WayEDfTX0gJSf1t8E4fTPH/KmuBx06ufn8ofYtSD5eGasodJ26/o7y7ZAa/Qcam7B1/W 0yG/J5UJAxolQKPcESvtAUO+c5NIZYHsYbPZWSaatdf/z+2e7BB1eY+Oa37CyX40UxoN fTjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=7mMYyONXGOvVYGSZWBpHigjIu3Wo5pOHgfWyRR2AfZU=; b=hP1BIsx/iaFvPqSCyMdF0cqOqJwhvrj6kTGTqoWZtJh0kTNJ+WtlW/H9teT8SB1rV1 iy4JBUhIY7Iqs8tQz+WSNbBzf8vbdg6XBI4m5CbR9RIFh+GwdgUkHkORMLVoNbN0lpw4 3xeTabNsCABD5Min08VdAXzMJjLjlVEdds4Wp6K5P5MfvIzqdxWW9YhMmG9QViMHAXK7 cNmJQrjhfLYxfNEnc8SuCkFeBTCX2InAg4FMFIwQR3wDAmmIR23BzmVkTSO7OBFH1y67 yeKfSg9mYTIIqLjII/OiK63TYjAi7vg4xYG9xoPZ7PEFBQqW4vJmm9gPPo3FpahAIo4R 2Ebw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bykN2bDC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y23si27310210pff.177.2018.05.09.12.37.01; Wed, 09 May 2018 12:37:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bykN2bDC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965558AbeEITgn (ORCPT + 99 others); Wed, 9 May 2018 15:36:43 -0400 Received: from mail-pg0-f45.google.com ([74.125.83.45]:44849 "EHLO mail-pg0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964931AbeEITgl (ORCPT ); Wed, 9 May 2018 15:36:41 -0400 Received: by mail-pg0-f45.google.com with SMTP id x145-v6so2847324pgx.11; Wed, 09 May 2018 12:36:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=7mMYyONXGOvVYGSZWBpHigjIu3Wo5pOHgfWyRR2AfZU=; b=bykN2bDCNhbi0G1OMPyCsweE66zXHhzHa9G1RGi2KcFAqArzfRoOhTQEW3UX/T1/I8 HV18keT7wHGWtj0Ky4MO+0rLMUigtBX1eFAoF8XkDVqZKt8gc4rbu1PEAQHVQrVirzNy jeXDbiuJwnkIa6/Gbe7fWg4ZZVf1aXqgeFJDabohAK1dsE5awsKAoOU3qJM3h+PPy+Sn U0S6cd+tM9Vd5FVErc5emMmvkt7VisiAm/XuKPjAd6sIzWoW/mcpjBKlUcPdMsJ+pJqx TxmnyXRUgzTd7GvKS/w+CE9hXFYNUm8GZHCHG6D38n74hFmGHLidnrG4GDk00bTg00c4 +Qng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=7mMYyONXGOvVYGSZWBpHigjIu3Wo5pOHgfWyRR2AfZU=; b=aQX2GNRRvUgskYvpn2ZuQnOvUHRx+1GPV91XHrSFOxxzqiM6NnphQRFdOzAJ6r3+Lw r07AslRwIXxtm9CzDI+fzkhQLDSLsqqR3O0BcTZevh9F/vePMAG4crTCcELnV7gxlbEj BFBTUuNy+xVoE0lzUrkGO7g0Z1vCe0QkqUndXdWAxdzLOL4GyGEJo2cGsKpG1Ny7GoRy EZPWyW9Q1RLteQFyHiyikT8u+6Etp8Sm71B74zMk3If7PgQ/DLBb4HfOtcm7fLFS9eyL UDbYJ4kb+z6neLaR5ZXJMKzPKd+RM+Jpj6Wl9adXHBdlJ6cpzDCCws5psXRLwjqfqYuL ua4A== X-Gm-Message-State: ALKqPwfQg/qQcdxh2asQcL08YIrGnEsBhzpndFMQtU4UQ1drpiE/ft4Q uVDzDA0AF8s8duAnhAwFzDE= X-Received: by 2002:a63:924c:: with SMTP id s12-v6mr3746520pgn.368.1525894600687; Wed, 09 May 2018 12:36:40 -0700 (PDT) Received: from ?IPv6:2620:15c:2c1:200:55c7:81e6:c7d8:94b? ([2620:15c:2c1:200:55c7:81e6:c7d8:94b]) by smtp.gmail.com with ESMTPSA id 29sm24208155pfj.14.2018.05.09.12.36.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 May 2018 12:36:39 -0700 (PDT) Subject: Re: KASAN: use-after-free Read in __dev_queue_xmit To: Willem de Bruijn , Eric Biggers Cc: Eric Dumazet , syzbot , alexander.deucher@amd.com, Andrey Konovalov , Anoob Soman , chris@chris-wilson.co.uk, David Miller , "Reshetova, Elena" , Greg Kroah-Hartman , Kees Cook , LKML , Mike Maloney , mchehab@kernel.org, netdev , "Rosen, Rami" , Sowmini Varadhan , syzkaller-bugs@googlegroups.com, Willem de Bruijn References: <94eb2c0ce3aa27cfa40561ec2dc3@google.com> <1515048794.131759.4.camel@gmail.com> <20180509073754.GG711@sol.localdomain> From: Eric Dumazet Message-ID: Date: Wed, 9 May 2018 12:36:38 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/09/2018 12:21 PM, Willem de Bruijn wrote: > Indeed. The skb shared info struct is zeroed by dev_validate_header > as a result of dev->hard_header_len exceeding skb->end - skb->data. > > Not exactly sure yet how this can happen. The hard header length space > is accounted for during allocation as reserved memory. But, > packet_alloc_skb does call skb_reserve(), moving skb->data > effectively beyond this reserved region. > > It may be incorrect to pass skb->data to dev_validate_header, as that > does not point to the start of the ll_header anymore. Still figuring out what > the right fix is.. > I believe the bug happens if the sock_wmalloc() call at line 1921 has to sleep. device can change (or at lest dev->hard_header_len can change) So we need to bailout if reserved/hhlen had changed. Or revert some patches, since dev_hold() and dev_put() are no longer high cost, since it is now using per cpu counter.