Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp777258pxb; Fri, 8 Jan 2021 19:16:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJzMAtN6A7ctKYpnxWLsG4NVSyh59Ih5IOp7DqbGY3mtDltBAtbIsM37cmafAx720LDCeROD X-Received: by 2002:a17:906:c310:: with SMTP id s16mr4542041ejz.186.1610162208741; Fri, 08 Jan 2021 19:16:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610162208; cv=none; d=google.com; s=arc-20160816; b=JLD/9IIExjCNzed74CBst6JMD7kZzRO0Qzu6wNgFkqWiosagUMHwqelAFbLULs7Fmq hH+Ix/ip5A057J00Fa9fFe97gYx3Lt+60nmK9jUYE0B98c/4zj1ZdEziFy2Nh5q1eOdW mgxXwWhN34O+Ktyy5HyVXF5ZNjU/kXU2xcRCdbsnha1WclU4YysOhJQdXp4zdFxrBXl3 BbCdYb2suLkbCZ5Jw8pFdisZMIszOqB2wJCr1+U+O5BDrmK8FsT6uw1g3XuprpUiWscK nG/Sx3yGeE4IPCzRSo19G3E3kzGSA4m1GKXRWCstcsunbKXKz4cr9a02ZwuchSa1pghN 7RJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=lXB2a+du1JN5xO7KPLgP3IrMlqUG+McbMPylwgQNQmQ=; b=EzQWefkPukOM402oQy7voNGAvZ+sNRNGyQGBf5vtx2+Q5EbX8GgAiN522US+revIyO j/06pwUpuMmp37UjDocnc25If06wQ+x7fhLLX0icE9jGSbeGAO3J0Yii7HDIgaAqP+K7 UBvbOF+eucgFDf1PjT4JqXxVMbb5rss43eym6PN+mYRHA2Oa02iogrWQfxFkl+foLxry GPUDbwaHuF1jMJngYK7FVxW+cOWdoGXJKLvVoF99I+erKy5v+Q3p3Kcj9dTwgRUVT1qI IUluKSBPu9OGU3tI40NuCH5sBVe4RW5WjsIzUBDXzID57+sA9R54LWsdBIOuz952IiBi 6UNg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=AFat8HIE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y23si4113629ejw.283.2021.01.08.19.16.24; Fri, 08 Jan 2021 19:16:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=AFat8HIE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726460AbhAIDPd (ORCPT + 99 others); Fri, 8 Jan 2021 22:15:33 -0500 Received: from mail.kernel.org ([198.145.29.99]:46342 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725836AbhAIDPd (ORCPT ); Fri, 8 Jan 2021 22:15:33 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0AE7F2399C; Sat, 9 Jan 2021 03:14:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1610162092; bh=2F7nLhTTdXrprSm87Hth/K8KuE4Ca1QxMEcNohZJGnQ=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=AFat8HIEnT1ZnPGSC7ybRX4yjTliL1hZxD1T/70SDyUGO9Ngjd1HNmETWaTRI9xgN MaPOnC+CxKVWxrTukg5/Gp2Tgy019q7lmKAsa7AlumZRXIw+AWoG7rIAReDls0R0TF S2TYuppBOgqgqGuQrGfp+tlaq4+uG2u4foJdubC8wcL7UnlC4Q4CyKV4ZeDmg493iW 5ldqmhdNfDVI/rXoL08CkNKy0dXT2NUp91EA4DODOu8zCNWu4Ka7xc+1+JPrTf891v TvOCfKsyY1UsYtekbCvZfG9EQZ+a2ey2nuBSOgX8AOUAmZjZB9sxJUyGGM+iqyYtqF F6PzdfVG8Parw== Date: Fri, 8 Jan 2021 19:14:51 -0800 From: Jakub Kicinski To: Daniel Borkmann , Dongseok Yi , Willem de Bruijn Cc: "David S. Miller" , Miaohe Lin , Paolo Abeni , Florian Westphal , Al Viro , Guillaume Nault , Yunsheng Lin , Steffen Klassert , Yadu Kishore , Marco Elver , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, namkyu78.kim@samsung.com Subject: Re: [PATCH net v3] net: fix use-after-free when UDP GRO with shared fraglist Message-ID: <20210108191451.4eaa29a8@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> In-Reply-To: <9d8cccfe-21d1-4bd2-0cce-4e8af2dd6ef6@iogearbox.net> References: <1609979953-181868-1-git-send-email-dseok.yi@samsung.com> <1610072918-174177-1-git-send-email-dseok.yi@samsung.com> <9d8cccfe-21d1-4bd2-0cce-4e8af2dd6ef6@iogearbox.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 8 Jan 2021 11:18:39 +0100 Daniel Borkmann wrote: > On 1/8/21 3:28 AM, Dongseok Yi wrote: > > skbs in fraglist could be shared by a BPF filter loaded at TC. If TC > > writes, it will call skb_ensure_writable -> pskb_expand_head to create > > a private linear section for the head_skb. And then call > > skb_clone_fraglist -> skb_get on each skb in the fraglist. > > > > skb_segment_list overwrites part of the skb linear section of each > > fragment itself. Even after skb_clone, the frag_skbs share their > > linear section with their clone in PF_PACKET. > > > > Both sk_receive_queue of PF_PACKET and PF_INET (or PF_INET6) can have > > a link for the same frag_skbs chain. If a new skb (not frags) is > > queued to one of the sk_receive_queue, multiple ptypes can see and > > release this. It causes use-after-free. > > > > [ 4443.426215] ------------[ cut here ]------------ > > [ 4443.426222] refcount_t: underflow; use-after-free. > > [ 4443.426291] WARNING: CPU: 7 PID: 28161 at lib/refcount.c:190 > > refcount_dec_and_test_checked+0xa4/0xc8 > > [ 4443.426726] pstate: 60400005 (nZCv daif +PAN -UAO) > > [ 4443.426732] pc : refcount_dec_and_test_checked+0xa4/0xc8 > > [ 4443.426737] lr : refcount_dec_and_test_checked+0xa0/0xc8 > > [ 4443.426808] Call trace: > > [ 4443.426813] refcount_dec_and_test_checked+0xa4/0xc8 > > [ 4443.426823] skb_release_data+0x144/0x264 > > [ 4443.426828] kfree_skb+0x58/0xc4 > > [ 4443.426832] skb_queue_purge+0x64/0x9c > > [ 4443.426844] packet_set_ring+0x5f0/0x820 > > [ 4443.426849] packet_setsockopt+0x5a4/0xcd0 > > [ 4443.426853] __sys_setsockopt+0x188/0x278 > > [ 4443.426858] __arm64_sys_setsockopt+0x28/0x38 > > [ 4443.426869] el0_svc_common+0xf0/0x1d0 > > [ 4443.426873] el0_svc_handler+0x74/0x98 > > [ 4443.426880] el0_svc+0x8/0xc > > > > Fixes: 3a1296a38d0c (net: Support GRO/GSO fraglist chaining.) > > Signed-off-by: Dongseok Yi > > Acked-by: Willem de Bruijn > > Acked-by: Daniel Borkmann Applied, thanks!