* [PATCH bpf-next] xsk: fix possible segfault in xsk umem diagnostics
@ 2020-09-02 8:52 Magnus Karlsson
2020-09-02 14:57 ` Daniel Borkmann
0 siblings, 1 reply; 2+ messages in thread
From: Magnus Karlsson @ 2020-09-02 8:52 UTC (permalink / raw)
To: magnus.karlsson, bjorn.topel, ast, daniel, netdev, jonathan.lemon; +Cc: bpf
Fix possible segfault in the xsk diagnostics code when dumping
information about the umem. This can happen when a umem has been
created, but the socket has not been bound yet. In this case, the xsk
buffer pool does not exist yet and we cannot dump the information
that was moved from the umem to the buffer pool. Fix this by testing
for the existence of the buffer pool and if not there, do not dump any
of that information.
Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Reported-by: syzbot+3f04d36b7336f7868066@syzkaller.appspotmail.com
Fixes: c2d3d6a47462 ("xsk: Move queue_id, dev and need_wakeup to buffer pool")
Fixes: 7361f9c3d719 ("xsk: Move fill and completion rings to buffer pool")
---
net/xdp/xsk_diag.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/xdp/xsk_diag.c b/net/xdp/xsk_diag.c
index 5bd8ea9..3cf6435 100644
--- a/net/xdp/xsk_diag.c
+++ b/net/xdp/xsk_diag.c
@@ -59,8 +59,8 @@ static int xsk_diag_put_umem(const struct xdp_sock *xs, struct sk_buff *nlskb)
du.num_pages = umem->npgs;
du.chunk_size = umem->chunk_size;
du.headroom = umem->headroom;
- du.ifindex = pool->netdev ? pool->netdev->ifindex : 0;
- du.queue_id = pool->queue_id;
+ du.ifindex = (pool && pool->netdev) ? pool->netdev->ifindex : 0;
+ du.queue_id = pool ? pool->queue_id : 0;
du.flags = 0;
if (umem->zc)
du.flags |= XDP_DU_F_ZEROCOPY;
@@ -68,10 +68,10 @@ static int xsk_diag_put_umem(const struct xdp_sock *xs, struct sk_buff *nlskb)
err = nla_put(nlskb, XDP_DIAG_UMEM, sizeof(du), &du);
- if (!err && pool->fq)
+ if (!err && pool && pool->fq)
err = xsk_diag_put_ring(pool->fq,
XDP_DIAG_UMEM_FILL_RING, nlskb);
- if (!err && pool->cq) {
+ if (!err && pool && pool->cq) {
err = xsk_diag_put_ring(pool->cq, XDP_DIAG_UMEM_COMPLETION_RING,
nlskb);
}
--
2.7.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH bpf-next] xsk: fix possible segfault in xsk umem diagnostics
2020-09-02 8:52 [PATCH bpf-next] xsk: fix possible segfault in xsk umem diagnostics Magnus Karlsson
@ 2020-09-02 14:57 ` Daniel Borkmann
0 siblings, 0 replies; 2+ messages in thread
From: Daniel Borkmann @ 2020-09-02 14:57 UTC (permalink / raw)
To: Magnus Karlsson, bjorn.topel, ast, netdev, jonathan.lemon; +Cc: bpf
On 9/2/20 10:52 AM, Magnus Karlsson wrote:
> Fix possible segfault in the xsk diagnostics code when dumping
> information about the umem. This can happen when a umem has been
> created, but the socket has not been bound yet. In this case, the xsk
> buffer pool does not exist yet and we cannot dump the information
> that was moved from the umem to the buffer pool. Fix this by testing
> for the existence of the buffer pool and if not there, do not dump any
> of that information.
>
> Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
> Reported-by: syzbot+3f04d36b7336f7868066@syzkaller.appspotmail.com
> Fixes: c2d3d6a47462 ("xsk: Move queue_id, dev and need_wakeup to buffer pool")
> Fixes: 7361f9c3d719 ("xsk: Move fill and completion rings to buffer pool")
Applied, thanks!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-09-02 14:58 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-02 8:52 [PATCH bpf-next] xsk: fix possible segfault in xsk umem diagnostics Magnus Karlsson
2020-09-02 14:57 ` Daniel Borkmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).