Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1517745ybb; Sat, 11 Apr 2020 05:28:29 -0700 (PDT) X-Google-Smtp-Source: APiQypJfaXSwqZPxS49IFjhoIajEW9IyzQiP5KVymiu/Wy6IS5HYugAGZ+5dKboe1pnht4OJ4LL3 X-Received: by 2002:ac8:1703:: with SMTP id w3mr3332710qtj.267.1586608109794; Sat, 11 Apr 2020 05:28:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586608109; cv=none; d=google.com; s=arc-20160816; b=o7oxg7sl5wfADRSOXv8peofpN7dvifdV6B+a4FmbHywKnjTIWsmuNeiQVExkEDCEfu dcIQp0uVxX8nyNIKeBUbEbsoy0X4riIJ2Vhao7BhER02LMyHXACPrX/eBBjgXF/Pyyaw rvKb/ffSCQiN9CXI+LH9rTluqVDcd4dwOuyGVsz37ceIK2H5P8n/N1PVYhpzhuO1IrP+ wHvpWgkHbCIazYFZlFR1MUc0kS//P8rZQaLpujzY5BGQiYHQtVnrdYUkU3J+AIkO7D+y uAPbH5odsFOAJm11yiSvBJ2+/xGa3tDase53qDyFCUh+4aU5rM3HHOMovh5t4D8fGRgR k9zA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=f84rKkL3gXVRN/0cbpKgGPWzw7XUgTnfwG5JlfNk0HM=; b=ddMg/utW5dZNV1krOvIv1gp4ztqmp5skjK5odaoUYZJwQDfkNG9MVkUwzvXoZx79iA 57FFVWy3EyxwcHGCGXs873vvQ+I/GjRYiCPhvGFSpblmRIXI4sRsHa4eU+T62Xj9WdCO FW1TXTXWMfmTFp/yLLeEsuemQFbkHBmZ0HBgty/6Sp/1u9qfWPrngzLTjOWjMmADt0/+ +rC+zcPF/pYg6xxeoCRrWVmm8PEwftNhPW6G4BlDfy4Pfu5i6TOy+sYIp5RWkdsqLNS3 xC52MHWRpcYcxoK90WWdHUAsuUplIA3L99ho7mKyfxNsBw/5Kvzvqg/BZ5ijUjWJKpdU 4Pgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1b5mkGqP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a1si2679443qtp.195.2020.04.11.05.28.15; Sat, 11 Apr 2020 05:28:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1b5mkGqP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728227AbgDKMZF (ORCPT + 99 others); Sat, 11 Apr 2020 08:25:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:51514 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728337AbgDKMQ7 (ORCPT ); Sat, 11 Apr 2020 08:16:59 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BBAD22173E; Sat, 11 Apr 2020 12:16:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1586607419; bh=7UERCu65CgP0U500+F+o3KO4ii49B6mhq0xWCr9GZ+0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1b5mkGqP2lY+mol2FczUVlFrWRaFy18aCYQKYsY5dsd6bnTWlMgsS2pzlNT7ySK2K mtxP8gucIjSZQiuyVc/35PEbGKqlKEo+h6ftL/WJrTV+DzurafHbWtFhv1ATlMa9rb YZPymndxd6vUq7KGzKab9k24PgfZ8HH8zjXg+Iys= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "David S. Miller" , Alexei Starovoitov , Daniel Borkmann , Eric Dumazet , Jason Wang , Will Deacon Subject: [PATCH 5.4 12/41] tun: Dont put_page() for all negative return values from XDP program Date: Sat, 11 Apr 2020 14:09:21 +0200 Message-Id: <20200411115504.966396550@linuxfoundation.org> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200411115504.124035693@linuxfoundation.org> References: <20200411115504.124035693@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Will Deacon [ Upstream commit bee348907d19d654e8524d3a946dcd25b693aa7e ] When an XDP program is installed, tun_build_skb() grabs a reference to the current page fragment page if the program returns XDP_REDIRECT or XDP_TX. However, since tun_xdp_act() passes through negative return values from the XDP program, it is possible to trigger the error path by mistake and accidentally drop a reference to the fragments page without taking one, leading to a spurious free. This is believed to be the cause of some KASAN use-after-free reports from syzbot [1], although without a reproducer it is not possible to confirm whether this patch fixes the problem. Ensure that we only drop a reference to the fragments page if the XDP transmit or redirect operations actually fail. [1] https://syzkaller.appspot.com/bug?id=e76a6af1be4acd727ff6bbca669833f98cbf5d95 Cc: "David S. Miller" Cc: Alexei Starovoitov Cc: Daniel Borkmann CC: Eric Dumazet Acked-by: Jason Wang Fixes: 8ae1aff0b331 ("tuntap: split out XDP logic") Signed-off-by: Will Deacon Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/tun.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1715,8 +1715,12 @@ static struct sk_buff *tun_build_skb(str alloc_frag->offset += buflen; } err = tun_xdp_act(tun, xdp_prog, &xdp, act); - if (err < 0) - goto err_xdp; + if (err < 0) { + if (act == XDP_REDIRECT || act == XDP_TX) + put_page(alloc_frag->page); + goto out; + } + if (err == XDP_REDIRECT) xdp_do_flush_map(); if (err != XDP_PASS) @@ -1730,8 +1734,6 @@ static struct sk_buff *tun_build_skb(str return __tun_build_skb(tfile, alloc_frag, buf, buflen, len, pad); -err_xdp: - put_page(alloc_frag->page); out: rcu_read_unlock(); local_bh_enable();