Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2865292yba; Sun, 28 Apr 2019 10:50:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqxcMipLJ5KRpY5S4PV5M3IsKWKpbxMaxOSy8sAEuawlQnPMKIBUfMujrJ4+PzV91eYm/dYR X-Received: by 2002:a17:902:29e9:: with SMTP id h96mr38901083plb.258.1556473843550; Sun, 28 Apr 2019 10:50:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556473843; cv=none; d=google.com; s=arc-20160816; b=08t6cYP9XcPNsyO3Hbfa1yaajJ4uutSC7cgwLnqdqGwXanQ7/MYYGdnqOFZPi2Rvfu FY3Njuw2KrIVroY8tPMYTY5G+F7VKnsgpPaDoyHvfDLZPU7OjnRYlozIwUztgzZwtXp+ umm6FVkvKCGsoTDEe7tVa/zpNmYZPDArqnZxZwmkSzdkfzw4RwmmlDMR2ohfO3K5xnq/ 8fmkcaxIznA+Czm+NmHrqhDXKSYRNx9nKNBKUXDIY39YLdqpKJ9BhBZ931thF0l3Y6cl 823FjiNKUD9+HE4MDTycWdtEe07rbW8E2/ndohRUQ+OYoQSuBOm3mnCrS41zhlI76K9O SUCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=ReMa3lA4dTqx6S8UgW8LBG5rG/kkJQz95pkoLA0UvGQ=; b=A3Hc7sZToTYRo+gc1kSIRZUyQQc1jm0zhaDXHB3tZILeJ25P4oLV17k8VgCLWa81jI JyxE/y19FIZebUbDZSy13yQqIBLeu56FIKoF6liw3TUNp1IxjsEFkLAZvlN3IC2o86ow aPXQvZCNsxdl3SiAJ8Syxeq6i13oKQkQWYi24YMGXLPdp4CkDbwOgtmfLM9Nv3CRqfqT CKk9b3PJsJGJvoDL0z5stoseKFG20fy3/kW+8iwKAXn0uuPNmMz5EO4e65L/YXgekj7s vTfoi6C4n9HD+mltCqvtnbxph64AZkjIkPhTCHCcKZ38gqV6kfuzYwx2n7SoMsmP2nFu a69Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ktt4S2uw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k3si30846267pfi.229.2019.04.28.10.50.28; Sun, 28 Apr 2019 10:50:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ktt4S2uw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727088AbfD1Rth (ORCPT + 99 others); Sun, 28 Apr 2019 13:49:37 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:39956 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726299AbfD1Rth (ORCPT ); Sun, 28 Apr 2019 13:49:37 -0400 Received: by mail-pl1-f195.google.com with SMTP id b3so3980399plr.7; Sun, 28 Apr 2019 10:49:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ReMa3lA4dTqx6S8UgW8LBG5rG/kkJQz95pkoLA0UvGQ=; b=ktt4S2uw6GUN2+dnog/70saXglSNa1lsCTrZ7RFKkfGcfC4hLQb/Xf3eWwsAamz7GB ZKnCoeYzc7Gy5FNYm3F+rCAj8FNlDB6CH+xVwZAU/Z780wTAg48caGKxrkOD34omKuFn Om8X4OGn3gIL5On0U6VGoa3N53FKaS2GYBPL4M33RkxA2hRQcBEDsCodl7MP/gk9Ouyp 5sY7sH0Ckxor7J7gWQ9QcYXUXNnf55SntBafL8n7/O3KGYQA7YSvQ499loyvjsnh/0GE HatukgZBgNjjtnebV3L2wAswpotfc0ZVeGLltCDXABr64lwXPK/IzqgEPqC0lC/8CBrR +sWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ReMa3lA4dTqx6S8UgW8LBG5rG/kkJQz95pkoLA0UvGQ=; b=MCBONwu25huniWbAesbyodCtONKxNUTGro0FEKdhJFFU11sHEqH8C+2eXcFDTveIj1 /1dD3MUHwl3vIYUWtjS4RQEy9BS3I2R9lNR9iiPNa0wlYtfTbFDLvZXn6M97gWwkP0Ws jV+flEQwCaSw74+P/FBxElHaGt++wtWUxn/dlmPQc+ZDo//L+q68kZSXSzGG/Q+BDdrm cfTcebkC5HCgpUhPa47vJesyI4GJJh6hxwV11U5l58Qe+y7f5fNOi0alvDVyUjBhy7rn R8EgsdC/mRkL3vFxRXnCqsAtGQ3Jg8K6NP+Z792Pm/ygj3lz5Mh3sBgMTN4WX6L449vR 8Q8w== X-Gm-Message-State: APjAAAUdEMgUSfNM4k3SQ/mqMH/idK6cALoeFANXNgxF0p7Qu7FkTPeU 58Rr+qjstZV0aLBpScsqSmi3qqAdO8J266HedN0= X-Received: by 2002:a17:902:e405:: with SMTP id ci5mr23596907plb.224.1556473776553; Sun, 28 Apr 2019 10:49:36 -0700 (PDT) MIME-Version: 1.0 References: <71250616-36c1-0d96-8fac-4aaaae6a28d4@redhat.com> <20190428030539.17776-1-yuehaibing@huawei.com> In-Reply-To: <20190428030539.17776-1-yuehaibing@huawei.com> From: Cong Wang Date: Sun, 28 Apr 2019 10:49:25 -0700 Message-ID: Subject: Re: [PATCH] tun: Fix use-after-free in tun_net_xmit To: Yue Haibing Cc: David Miller , Jason Wang , Eric Dumazet , Jesper Dangaard Brouer , "Michael S. Tsirkin" , "Li,Rongqing" , Nicolas Dichtel , Chas Williams <3chas3@gmail.com>, wangli39@baidu.com, LKML , Linux Kernel Network Developers Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 27, 2019 at 8:06 PM Yue Haibing wrote: > > If tun driver have multiqueues, user close the last queue by > tun_detach, then tun->tfiles[index] is not cleared. Then a new > queue may add to the tun, which using rcu_assign_pointer > tun->tfiles[index] to the new tfile and increase the numqueues. > However if there send a packet during this time, which picking the last > queue, it may uses the old tun->tfiles[index], beacause there no > RCU grace period. This analysis makes sense. It is a normal scenario for RCU, where readers could still read even after we unpublish the RCU protected structure, we only need to worry about when we free it. > diff --git a/drivers/net/tun.c b/drivers/net/tun.c > index e9ca1c0..3770aba 100644 > --- a/drivers/net/tun.c > +++ b/drivers/net/tun.c > @@ -876,6 +876,7 @@ static int tun_attach(struct tun_struct *tun, struct file *file, > */ > rcu_assign_pointer(tfile->tun, tun); > rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile); > + synchronize_net(); > tun->numqueues++; > tun_set_real_num_queues(tun); But this fix doesn't make any sense, we only wait for RCU grace period when freeing old ones, not for new ones. RCU grace period is all about readers against free. This is why I came up with the SOCK_RCU_FREE patch, which is also blocking-free. Thanks.