From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3248EC2BBC7 for ; Sat, 11 Apr 2020 12:20:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0BFD5215A4 for ; Sat, 11 Apr 2020 12:20:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1586607615; bh=7UERCu65CgP0U500+F+o3KO4ii49B6mhq0xWCr9GZ+0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=1I3IH47DSPUQdOCCj+MIA3fsLfytDWW1+Osgma2ddUSQlWjidQg0zBWh/2EgZi84D XiaLA0uA9bXRFXTuBzuN7cE0DXGFEGxsaz2SC+UVubp3X6IXBCMk4jTNSCrmJOXYhz hZcxoEJmKo1YqsGPKCn7F97c+IyKKB9Kd6Hzkgtw= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728935AbgDKMUN (ORCPT ); Sat, 11 Apr 2020 08:20:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:55948 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728979AbgDKMUJ (ORCPT ); Sat, 11 Apr 2020 08:20:09 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4A41A214D8; Sat, 11 Apr 2020 12:20:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1586607609; bh=7UERCu65CgP0U500+F+o3KO4ii49B6mhq0xWCr9GZ+0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nYqDDmc36+m+IkTmtSo6TIogdUe9wvMCgPN+PSl/3bu+/OXqpSQHlVltT33RfbGWP ktWi+VGYZuJMMjUuyac94nn+yTS28zfHzl2TBHrhUiLy6pu+HksJlURRHmZbNooKtH 28J7ZQHShkTmcZWcIu149cD74gY261HK1YxwiE5w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "David S. Miller" , Alexei Starovoitov , Daniel Borkmann , Eric Dumazet , Jason Wang , Will Deacon Subject: [PATCH 5.5 11/44] tun: Dont put_page() for all negative return values from XDP program Date: Sat, 11 Apr 2020 14:09:31 +0200 Message-Id: <20200411115457.834219673@linuxfoundation.org> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200411115456.934174282@linuxfoundation.org> References: <20200411115456.934174282@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Will Deacon [ Upstream commit bee348907d19d654e8524d3a946dcd25b693aa7e ] When an XDP program is installed, tun_build_skb() grabs a reference to the current page fragment page if the program returns XDP_REDIRECT or XDP_TX. However, since tun_xdp_act() passes through negative return values from the XDP program, it is possible to trigger the error path by mistake and accidentally drop a reference to the fragments page without taking one, leading to a spurious free. This is believed to be the cause of some KASAN use-after-free reports from syzbot [1], although without a reproducer it is not possible to confirm whether this patch fixes the problem. Ensure that we only drop a reference to the fragments page if the XDP transmit or redirect operations actually fail. [1] https://syzkaller.appspot.com/bug?id=e76a6af1be4acd727ff6bbca669833f98cbf5d95 Cc: "David S. Miller" Cc: Alexei Starovoitov Cc: Daniel Borkmann CC: Eric Dumazet Acked-by: Jason Wang Fixes: 8ae1aff0b331 ("tuntap: split out XDP logic") Signed-off-by: Will Deacon Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/tun.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1715,8 +1715,12 @@ static struct sk_buff *tun_build_skb(str alloc_frag->offset += buflen; } err = tun_xdp_act(tun, xdp_prog, &xdp, act); - if (err < 0) - goto err_xdp; + if (err < 0) { + if (act == XDP_REDIRECT || act == XDP_TX) + put_page(alloc_frag->page); + goto out; + } + if (err == XDP_REDIRECT) xdp_do_flush_map(); if (err != XDP_PASS) @@ -1730,8 +1734,6 @@ static struct sk_buff *tun_build_skb(str return __tun_build_skb(tfile, alloc_frag, buf, buflen, len, pad); -err_xdp: - put_page(alloc_frag->page); out: rcu_read_unlock(); local_bh_enable();