All of lore.kernel.org
 help / color / mirror / Atom feed
From: YueHaibing <yuehaibing@huawei.com>
To: Jason Wang <jasowang@redhat.com>, Cong Wang <xiyou.wangcong@gmail.com>
Cc: netdev <netdev@vger.kernel.org>
Subject: Re: BUG: KASAN: use-after-free Read in tun_net_xmit
Date: Wed, 24 Apr 2019 20:25:13 +0800	[thread overview]
Message-ID: <89745da0-c6c4-d100-eb47-61abfde753a1@huawei.com> (raw)
In-Reply-To: <84f86b46-2de2-d9e2-cb04-d5c50a72449f@redhat.com>

On 2019/4/24 17:11, Jason Wang wrote:
> 
> On 2019/4/24 上午12:41, Cong Wang wrote:
>> On Mon, Apr 22, 2019 at 11:42 PM Jason Wang <jasowang@redhat.com> wrote:
>>>
>>> On 2019/4/23 下午2:00, Cong Wang wrote:
>>>> On Mon, Apr 22, 2019 at 2:41 AM Jason Wang <jasowang@redhat.com> wrote:
>>>>> On 2019/4/22 上午11:57, YueHaibing wrote:
>>>>>> We get a KASAN report as below, but don't have any reproducer.
>>>>>>
>>>>>> Any comments are appreciated.
>>>>>>
>>>>>> ==================================================================
>>>>>> BUG: KASAN: use-after-free in tun_net_xmit+0x1670/0x1750 drivers/net/tun.c:1104
>>>>>> Read of size 8 at addr ffff88836cc26a70 by task swapper/3/0
>>>>> Which kernel version did you use? The calltrace points out the a use
>>>>> after free for tun_file structure which should be synchronized through
>>>>> RCU + RTNL lock.
>>>> The tfile socket has to be marked with SOCK_RCU_FREE in order
>>>> to fully respect the RCU grace period.
>>>>
>>>> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
>>>> index e9ca1c088d0b..31c3210288cb 100644
>>>> --- a/drivers/net/tun.c
>>>> +++ b/drivers/net/tun.c
>>>> @@ -3431,6 +3431,7 @@ static int tun_chr_open(struct inode *inode,
>>>> struct file * file)
>>>>           file->private_data = tfile;
>>>>           INIT_LIST_HEAD(&tfile->next);
>>>>
>>>> +       sock_set_flag(&tfile->sk, SOCK_RCU_FREE);
>>>>           sock_set_flag(&tfile->sk, SOCK_ZEROCOPY);
>>>>
>>>>           return 0;
>>>
>>> We did a synchronize_net() when socket is detached from netdevice in
>>> __tun_detach() so it looks to me this is unnecessary.
>> I knew, but it is only called conditionally, that is:
>>
>>   695         if (tun && !tfile->detached) {
>> ...
>>   710
>>   711                 synchronize_net();
>>
>> And it looks like syzbot just skipped this condition,
> 
> 
> If tfile is detached, it should have gone for the path of synchronize_net() before. If tfile is never attached, tun_net_xmit() doesn't have the chance to access that. I wonder whether or not we should use WRITE_ONCE() for tun->numqueues-- in this fucntion. If the value was not committed to memory before synchronize_net(), we may race with tun_net_xmit() which check txq against tun->numqueues.
> 
> 
>> this is why I believe
>> you still need to respect RCU grace period _unconditionally_ for tfile.
> 
> 
> This is true if I miss subtle race in the code.
> 
> 
> Haibing: could you please try the following test?
> 
> 1) start VM with multiple queue
> 
> 2) using pktgen to inject packets to all queues through tap
> 
> 3) using ethtool to change the combined channels in guest in a loop
> 
> 4) kill the guest
> 
> 

Ok, I will try this.

> Thanks
> 
> 
>> Thanks.
> 
> .
> 


  reply	other threads:[~2019-04-24 12:25 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-22  3:57 BUG: KASAN: use-after-free Read in tun_net_xmit YueHaibing
2019-04-22  9:41 ` Jason Wang
2019-04-22 12:37   ` YueHaibing
2019-04-23  6:00   ` Cong Wang
2019-04-23  6:42     ` Jason Wang
2019-04-23 16:41       ` Cong Wang
2019-04-24  9:11         ` Jason Wang
2019-04-24 12:25           ` YueHaibing [this message]
2019-04-25 16:04             ` YueHaibing
2019-04-26  7:37               ` Jason Wang
2019-04-28  3:05                 ` [PATCH] tun: Fix use-after-free " Yue Haibing
2019-04-28  3:24                   ` Jason Wang
2019-04-28  4:26                     ` Jason Wang
2019-04-28  5:40                       ` weiyongjun (A)
2019-04-28  7:51                         ` Jason Wang
2019-04-28 17:59                           ` Cong Wang
2019-04-29  2:23                             ` Jason Wang
2019-04-29  3:53                               ` weiyongjun (A)
2019-04-29 13:07                               ` YueHaibing
2019-04-29 16:38                               ` Cong Wang
2019-04-30  2:44                                 ` YueHaibing
2019-04-30 23:33                                   ` Cong Wang
2019-05-05  9:09                                 ` Jason Wang
2019-04-28 17:49                   ` Cong Wang
2019-04-29 14:55                   ` Michael S. Tsirkin
2019-04-29 16:58                     ` Cong Wang
2019-04-30  5:11                       ` weiyongjun (A)
2019-04-30 23:42                         ` Cong Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=89745da0-c6c4-d100-eb47-61abfde753a1@huawei.com \
    --to=yuehaibing@huawei.com \
    --cc=jasowang@redhat.com \
    --cc=netdev@vger.kernel.org \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.