Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp5523829yba; Tue, 30 Apr 2019 16:43:52 -0700 (PDT) X-Google-Smtp-Source: APXvYqwmgEtp30zNNrtnQ+osnDY2h5PBCTSscThFr3eIJ5nuv3vdL7X/JRKl7uZ8zPSKq63uc3ka X-Received: by 2002:a63:fb58:: with SMTP id w24mr34708148pgj.444.1556667832331; Tue, 30 Apr 2019 16:43:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556667832; cv=none; d=google.com; s=arc-20160816; b=S4mvDx+WsoIzhV4IaxnZzx07GXcu5cXK5ToKmlcZMS8oe52E07u4Fud+j364BW34W9 OnDokOwKo7LyQHdhrubcb0NWcJLm5gzYd6FwiLPqNa5zR/bxWqB4U3Cxnb729w7YiuRx H7CThNqF4RuE2PO5Dknk9o2dZlabnKVCm8YEUGtQEF1Pb+4W6kzSjXD7bSPQBlwWGo1t f0DovbYoEXE7th26KWNIAxghFH9QdNFgcvZ0n2NYJVcCAfBcUoGEogoSNXO71TqTSEGL tgsI6cnX9vWSxiWLN8naIInwadCdxr+GQNuV18p98GBUGDFymWsaeRNCzoHEmvMlbUws kbTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Ry7tbWIJBK9Hf7LIqKMAwHqMDwQA5WOsikziPF9zW00=; b=YAVx89UVl6jSccXiPYxbWbFJppXn9ZtQ20zAz1GTResEH1/gwxOC6/yNsdcXZc7+po mKyErWdV65eRTFtYdAg8kg13ljuGsIrvw9c552idlCDAIqtYDttOu/qL8htF7NyWIvr1 PaZVGLHh1bNAm3Z0pnCWwLrl1nYFgx85L6TuilBowBOWmRq2MYppCuGyn/1cgu2AzDzh FqI9ps38oHG6QcJcEJwGfuZ+lusIpOwBliRYvaAcJ6lLtBwck9UmislM3otsc6pyXaLc ujBDJobgz9PVcNfx0rIRCRF4K8GOvdZdSLKHTlFIYSenGpVa13L/ARHfTCtozf8Oafmi eqag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qMLOPFCn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u6si38851447pfh.265.2019.04.30.16.43.36; Tue, 30 Apr 2019 16:43:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qMLOPFCn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727128AbfD3Xmo (ORCPT + 99 others); Tue, 30 Apr 2019 19:42:44 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:37095 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726086AbfD3Xmo (ORCPT ); Tue, 30 Apr 2019 19:42:44 -0400 Received: by mail-pg1-f194.google.com with SMTP id e6so7579703pgc.4; Tue, 30 Apr 2019 16:42:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ry7tbWIJBK9Hf7LIqKMAwHqMDwQA5WOsikziPF9zW00=; b=qMLOPFCnndch3BcwtbTSRIveKdoxKzr6c2J4wNeHlXZk0Zehr7dB/B/PyzcL29w6zj WKVgcG0RSDO2ZCsxisxMw+CNK7eY7Vo/ZIj2rvCYo2lUcNwxVVESGVWrhXwrLhP5gUS1 rdv5pv9iXQJR2NjFNoSCOPufM8J8/eBedl2GiKW7yy5PvJm7XHYFa/h3+p+NlUBMhsig aQ23HVJ5PbocFP6beCY8Ae5mPr9O2MgWCzLuDw4VLU4DQSZys64qzAT5E+5/8IduV1yd EqzqveCGFY2QWQmlE5z9nEQ7hxN6FJH5RakHFPXC4CFn1uozV6jMKI/6zvc38aYTjePS eQAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ry7tbWIJBK9Hf7LIqKMAwHqMDwQA5WOsikziPF9zW00=; b=CWswZvjYBWX6AoUp0qezvHDeV/TPXEhUYTp+KXTfgl71CZ8X6aEG9EvfygqduEDXyc bZl6eOOdJi6YrTJm6SZQ8OZyLOCK3+HkDjgRUR52iov5HDMvUwcR/iCNidO8QItSPXVR 6JKY7mHZKL+ex4U15W/4e6kDNgmzATOk3xKQ5Fj5A5rpRh373HuPDJImnm+0HkPn6PSz ybyKHztOVS7egzEx9Fu34o0f6Y4qL+0KxznBFGUEFaQAVxLMEPzqrbR/ikPCIoDCNrcb 8++6eeYqChMeh3k2+nGKcSSEm0hdt61nte2TcbzFwXOvrcB7enU7KroGyoRF5K2nx7kQ GQ2w== X-Gm-Message-State: APjAAAWiQCQ4Oymv0v8T3nMF9DPYuMmju+Q198gjFgvNt0lj1q9s8rMx BYESeMbsZEfrxyj+nGBFZ6zABlUABFmfVQIrUvI= X-Received: by 2002:a63:6604:: with SMTP id a4mr38321480pgc.104.1556667763280; Tue, 30 Apr 2019 16:42:43 -0700 (PDT) MIME-Version: 1.0 References: <71250616-36c1-0d96-8fac-4aaaae6a28d4@redhat.com> <20190428030539.17776-1-yuehaibing@huawei.com> <20190429105422-mutt-send-email-mst@kernel.org> <6AADFAC011213A4C87B956458587ADB4021FE16C@dggeml532-mbs.china.huawei.com> In-Reply-To: <6AADFAC011213A4C87B956458587ADB4021FE16C@dggeml532-mbs.china.huawei.com> From: Cong Wang Date: Tue, 30 Apr 2019 16:42:31 -0700 Message-ID: Subject: Re: [PATCH] tun: Fix use-after-free in tun_net_xmit To: "weiyongjun (A)" Cc: "Michael S. Tsirkin" , yuehaibing , David Miller , Jason Wang , Eric Dumazet , Jesper Dangaard Brouer , "Li,Rongqing" , Nicolas Dichtel , Chas Williams <3chas3@gmail.com>, "wangli39@baidu.com" , LKML , Linux Kernel Network Developers Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 29, 2019 at 10:11 PM weiyongjun (A) wrote: > This patch should not work. The key point is that when detach the queue > with index is equal to tun->numqueues - 1, we do not clear the point > in tun->tfiles: > > static void __tun_detach(...) > { > ... > **** if index == tun->numqueues - 1, nothing changed **** > rcu_assign_pointer(tun->tfiles[index], > tun->tfiles[tun->numqueues - 1]); > .... > } This is _perfectly_ fine. This is just how we _unpublish_ it, RCU is NOT against unpublish, you keep missing this point. Think about list_del_rcu(). RCU readers could still read the list entry even _after_ list_del_rcu(), this is perfectly fine, list_del_rcu() just unpublishes the list entry from a global list, kfree_rcu() is the one frees it. So, RCU readers never hate "unpublish", they just hate "free". > > And after tfile free, xmit have change to get and use the freed file point. With SOCK_RCU_FREE, it won't be freed until the last reader is gone. This is the fundamental of RCU. Please, at least look into sk_destruct(). Thanks.