Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp5518478yba; Tue, 30 Apr 2019 16:36:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqxQIxLbzZUIxlLRjFwu28gmaUpOcFT5eTXfAKFfnPdEsYKjoObKrrWt6WyFwvZotvEo6I64 X-Received: by 2002:a65:6490:: with SMTP id e16mr14980330pgv.13.1556667387810; Tue, 30 Apr 2019 16:36:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556667387; cv=none; d=google.com; s=arc-20160816; b=sIt9BzI30pyoXx4fmnhh2eT7flNitom9TP/iuSiOWQaOnidzNb0ixynz7zjalAsY3+ MKrIBo49oiynnq5+qJ+ib0cvZ/QkwZA1K8+NCP2v0b9yBqLnmc5X4M6kUbVVVVgsFUP8 RmNsEm74cfgSjFImr5NmzV2uoYN+FUdMmd489oxe4FeFHl5i65JHHLIQYQ831MLZ+ZNm g9WIP9a4SeqJwF5u3r3hiULAWr4f0GwnkHzsRf2dQQeU9vGsTeKTrsJDqRo+PvictUEZ rStxd7IRat/P7k/Kz+iN6rRqwZY3ARKHeyCLXHsPyDYFu5be+TE7xSzRVTucEJb/VNfR cYvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Yfh9BzfzF2kTBQWbbF//TMwNJfjcByuhaFdN+KNSCPY=; b=P3FVMjboHuM95nTzKVSBzFOAxsr4MNfm/arL6QpHkneeG4LrKodAtsZ+f58L1B8Fix 9r7Sqf5/fTOpFoczMGgc2NKd/HC9VaK/av3BU6Y10CVF+ACW7Ka8a/+cYqWhhrkroZI2 +uyy1E6KvR9AygweEaKkUUZHQLRmKJ/VLuMo8qkP/fe6LN8IvhfHO22owjr1Q3yFjUEC WbzLoEglBJWNidTxGw9yn6T3vey/+Q59gLtVrBcUjku0V7Y3p5MKk8ZjBvr+HWCOiiB2 jO7uXLsEzPtC9LMn+vcdrEc+YxB/Su6QZxmSXTvhrzn5vEGHCi5mpkp4a1/2rotNfpfK rzzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=MBqQmkme; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f12si2749991pgh.591.2019.04.30.16.36.06; Tue, 30 Apr 2019 16:36:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=MBqQmkme; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726733AbfD3Xdl (ORCPT + 99 others); Tue, 30 Apr 2019 19:33:41 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:34165 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726086AbfD3Xdl (ORCPT ); Tue, 30 Apr 2019 19:33:41 -0400 Received: by mail-pg1-f195.google.com with SMTP id c13so6599832pgt.1; Tue, 30 Apr 2019 16:33:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Yfh9BzfzF2kTBQWbbF//TMwNJfjcByuhaFdN+KNSCPY=; b=MBqQmkmeWTkfrQNTOhiybCv6h3lmsmddjluCeIfh0JOaFsPZm7uvpVuaYn/NjhRJu/ GW0XRtE6gKh1QFL08ubQLvoeCuDZnOp1qLHuzseWONl5X1oYZvRE5/eoM/CJU6SGw+ta GlCtYd8bNl5QxVEBB8iqC5U8KCBstuWEaxYwgnN04HNedQpielHoWvX84+U4pmoTQEqb 4wt5a7Zo+O0SnpSflR5I2QEuLprgsqC65aOrdFflN8LkLsmNEwthD670BDgMxz1qKgI0 McxxxhpbNA4130Dj6e5AUUA+9ODoiYQtOw6uq7+NdSxMX/HZPfXEQ4VdD0XQFNptSHoL ulAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Yfh9BzfzF2kTBQWbbF//TMwNJfjcByuhaFdN+KNSCPY=; b=k8ylkl1DN0uNncRwA0R5WHHm452MlquTyeNxrpy0kgWqRG+3jGgteMJyNqiLCL8l+V o528K5YTNWQD5ZYGrRm2Om577OSsgaD2gc6k5g/aOYAZsMUl2bnG4Voxommr8qxqAJIn vIkNDfmu8mznCuqm48886U5xwau5UOcniBlqavfXp6VUUQO6tH95zOcMXIXu9sqSUHTS FkiUIdRIJ6T7mo1XNYg5wBZvBIXV0FKV/YWLl9UgO82hag0m9Cr15Y/ZGVYJFdmGi3Yy /ffCPa1v9+N2udt1souv8A8lGKvsOn22sHcl2+1hz9jIiGeuXm48tyuN9I3ztSpSOOeA nVDg== X-Gm-Message-State: APjAAAWI204+TmbYALEEtseYyUdjrUjLuM6Ru5dvw8nIMMfU9wKQKa5t YgA5RTUxwi9TSDll3oxmlBtYl6ItLmMF7SH4FKk= X-Received: by 2002:a63:6604:: with SMTP id a4mr38265766pgc.104.1556667220498; Tue, 30 Apr 2019 16:33:40 -0700 (PDT) MIME-Version: 1.0 References: <71250616-36c1-0d96-8fac-4aaaae6a28d4@redhat.com> <20190428030539.17776-1-yuehaibing@huawei.com> <516ba6e4-359b-15d0-e169-d8cc1e989a4a@redhat.com> <2c823bbf-28c4-b43d-52d9-b0e0356f03ae@redhat.com> <6AADFAC011213A4C87B956458587ADB4021F7531@dggeml532-mbs.china.huawei.com> <528517144.24310809.1556504619719.JavaMail.zimbra@redhat.com> <89f38a2b-c416-f838-ee85-356bffed5bdb@huawei.com> In-Reply-To: <89f38a2b-c416-f838-ee85-356bffed5bdb@huawei.com> From: Cong Wang Date: Tue, 30 Apr 2019 16:33:28 -0700 Message-ID: Subject: Re: [PATCH] tun: Fix use-after-free in tun_net_xmit To: YueHaibing Cc: Jason Wang , "weiyongjun (A)" , David Miller , Eric Dumazet , Jesper Dangaard Brouer , "Michael S. Tsirkin" , "Li,Rongqing" , nicolas dichtel , Chas Williams <3chas3@gmail.com>, wangli39@baidu.com, LKML , Linux Kernel Network Developers , Peter Xu Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 29, 2019 at 7:44 PM YueHaibing wrote: > > With SOCK_RCU_FREE tfile is ok , > > but tfile->sk is freed by sock_put in __tun_detach, it will trgger SOCK_RCU_FREE is exactly for sock and for sock_put(), you need to look into sock_put() path to see where SOCK_RCU_FREE is tested. > > use-after-free in tun_net_xmit if tun->numqueues check passed. Why do you believe we still have use-after-free with SOCK_RCU_FREE? tun_net_xmit() holds RCU read lock, so with SOCK_RCU_FREE, the sock won't be freed until tun_net_xmit() releases RCU read lock. This is just how RCU works...