From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <netdev-owner@vger.kernel.org>
Received: from shards.monkeyblade.net ([184.105.139.130]:48634 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751911AbeCQVEi (ORCPT
        <rfc822;netdev@vger.kernel.org>); Sat, 17 Mar 2018 17:04:38 -0400
Date: Sat, 17 Mar 2018 17:04:36 -0400 (EDT)
Message-Id: <20180317.170436.583222455278265829.davem@davemloft.net>
To: edumazet@google.com
Cc: netdev@vger.kernel.org, eric.dumazet@gmail.com,
        john.fastabend@gmail.com, jhs@mojatatu.com
Subject: Re: [PATCH v2 net] net: sched: fix uses after free
From: David Miller <davem@davemloft.net>
In-Reply-To: <20180315015300.233327-1-edumazet@google.com>
References: <20180315015300.233327-1-edumazet@google.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

From: Eric Dumazet <edumazet@google.com>
Date: Wed, 14 Mar 2018 18:53:00 -0700

> syzbot reported one use-after-free in pfifo_fast_enqueue() [1]
> 
> Issue here is that we can not reuse skb after a successful skb_array_produce()
> since another cpu might have consumed it already.
> 
> I believe a similar problem exists in try_bulk_dequeue_skb_slow()
> in case we put an skb into qdisc_enqueue_skb_bad_txq() for lockless qdisc.
 ...
> Fixes: c5ad119fb6c0 ("net: sched: pfifo_fast use skb_array")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot+ed43b6903ab968b16f54@syzkaller.appspotmail.com

Applied, thanks a lot Eric.