From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 926B7C10F14 for ; Tue, 23 Apr 2019 06:42:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5993520843 for ; Tue, 23 Apr 2019 06:42:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725946AbfDWGmq (ORCPT ); Tue, 23 Apr 2019 02:42:46 -0400 Received: from mx1.redhat.com ([209.132.183.28]:32846 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725882AbfDWGmq (ORCPT ); Tue, 23 Apr 2019 02:42:46 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E4D423082E58; Tue, 23 Apr 2019 06:42:45 +0000 (UTC) Received: from [10.72.12.166] (ovpn-12-166.pek2.redhat.com [10.72.12.166]) by smtp.corp.redhat.com (Postfix) with ESMTP id A3C9760141; Tue, 23 Apr 2019 06:42:44 +0000 (UTC) Subject: Re: BUG: KASAN: use-after-free Read in tun_net_xmit To: Cong Wang Cc: YueHaibing , netdev References: <97932452-086c-0086-8d17-640c804cc6c8@redhat.com> From: Jason Wang Message-ID: Date: Tue, 23 Apr 2019 14:42:43 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Tue, 23 Apr 2019 06:42:46 +0000 (UTC) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On 2019/4/23 下午2:00, Cong Wang wrote: > On Mon, Apr 22, 2019 at 2:41 AM Jason Wang wrote: >> >> On 2019/4/22 上午11:57, YueHaibing wrote: >>> We get a KASAN report as below, but don't have any reproducer. >>> >>> Any comments are appreciated. >>> >>> ================================================================== >>> BUG: KASAN: use-after-free in tun_net_xmit+0x1670/0x1750 drivers/net/tun.c:1104 >>> Read of size 8 at addr ffff88836cc26a70 by task swapper/3/0 >> >> Which kernel version did you use? The calltrace points out the a use >> after free for tun_file structure which should be synchronized through >> RCU + RTNL lock. > The tfile socket has to be marked with SOCK_RCU_FREE in order > to fully respect the RCU grace period. > > diff --git a/drivers/net/tun.c b/drivers/net/tun.c > index e9ca1c088d0b..31c3210288cb 100644 > --- a/drivers/net/tun.c > +++ b/drivers/net/tun.c > @@ -3431,6 +3431,7 @@ static int tun_chr_open(struct inode *inode, > struct file * file) > file->private_data = tfile; > INIT_LIST_HEAD(&tfile->next); > > + sock_set_flag(&tfile->sk, SOCK_RCU_FREE); > sock_set_flag(&tfile->sk, SOCK_ZEROCOPY); > > return 0; We did a synchronize_net() when socket is detached from netdevice in __tun_detach() so it looks to me this is unnecessary. But if it solves the use-after-free, it means we have bugs somewhere. Thanks