From patchwork Fri Jul 31 08:28:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juerg Haefliger X-Patchwork-Id: 1339310 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ0mZ4vGWz9sTV; Fri, 31 Jul 2020 18:28:45 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1k1QP7-0005fC-WD; Fri, 31 Jul 2020 08:28:37 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1k1QP6-0005eW-8j for kernel-team@lists.ubuntu.com; Fri, 31 Jul 2020 08:28:36 +0000 Received: from mail-ed1-f70.google.com ([209.85.208.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1k1QP6-0004Xn-17 for kernel-team@lists.ubuntu.com; Fri, 31 Jul 2020 08:28:36 +0000 Received: by mail-ed1-f70.google.com with SMTP id dd25so5696624edb.6 for ; Fri, 31 Jul 2020 01:28:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=92mg0PfGQSYT1vtUOSclW8yf9kAbixP2kJg3ujJOIpI=; b=OBB7KyxYjlYtK8T5TdYR6Mpn9t6EHkNRPoPUApN9V08UyLh9ENQbdpNJ+5xKrcKjnJ aROnY+XwhX+Cn82nPmjgy/96/EUDcH+C9ZGjeqz43eCL8ditI3o2w7AKNeAsIsO4/m4Y D0q+ZfbMC+3F0h1+SSbmuybMKOHu6dyS6/yPrL+LMRbUHzqGWsAUGgZSbExXho7Wo1B+ 3Rs/xb/EQB+YsRw+PR4CGwOK8diRUqpuSr8DMs3d0RTgVT0Dm/s+gDhiVHxY4DcUR8rh yh8lDabrhZgTHf1/Z9L4NqcwoLDyQDfTtTpOwJnye5UTRORUL+MAfmpibj49lbTSjqOA mOIA== X-Gm-Message-State: AOAM5320pAfTjgJFoNq/LbTh51Y1333bdKQVNIMKPNqV+AjxXemuG2kp JUKU/07PXBbJWvFR6p4eMfbkl8Dw1XYXBPyE8c9GvpbBaSn3JEtowNjSu5Ef7QJyFY2oQ8CyaUX pVU4mxr+1MiWSd8RpdnX/M2Dcf1P5EFBtdLYTAnLLKg== X-Received: by 2002:a17:906:2851:: with SMTP id s17mr2996131ejc.347.1596184115499; Fri, 31 Jul 2020 01:28:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyCJBC02Zv0ng9pi+pqJ/KTckrmPKNkJwuJF+Yu+kE+4gB5CvSV8OnQfUiLjRVJAzIfXjULUQ== X-Received: by 2002:a17:906:2851:: with SMTP id s17mr2996116ejc.347.1596184115184; Fri, 31 Jul 2020 01:28:35 -0700 (PDT) Received: from gollum.fritz.box ([194.191.244.86]) by smtp.gmail.com with ESMTPSA id t18sm8849959edr.79.2020.07.31.01.28.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 Jul 2020 01:28:34 -0700 (PDT) From: Juerg Haefliger X-Google-Original-From: Juerg Haefliger To: kernel-team@lists.ubuntu.com Subject: [SRU][B/linux][PATCH] tap: fix use-after-free Date: Fri, 31 Jul 2020 10:28:33 +0200 Message-Id: <20200731082833.16568-1-juergh@canonical.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "Michael S. Tsirkin" BugLink: https://bugs.launchpad.net/bugs/1889735 Lockless access to __ptr_ring_full is only legal if ring is never resized, otherwise it might cause use-after free errors. Simply drop the lockless test, we'll drop the packet a bit later when produce fails. Fixes: 362899b8 ("macvtap: switch to use skb array") Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller (backported from commit 88fae87327a2261cf8db078f6ce4e5a3e55b30b1) [juergh: __ptr_ring_full() -> __skb_array_full() due to lack of commit 5990a30510ed ("tun/tap: use ptr_ring instead of skb_array").] Signed-off-by: Juerg Haefliger Acked-by: Colin Ian King Acked-by: Stefan Bader --- drivers/net/tap.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/net/tap.c b/drivers/net/tap.c index afbe5bec2c33..f8b44d395c2f 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -330,9 +330,6 @@ rx_handler_result_t tap_handle_frame(struct sk_buff **pskb) if (!q) return RX_HANDLER_PASS; - if (__skb_array_full(&q->skb_array)) - goto drop; - skb_push(skb, ETH_HLEN); /* Apply the forward feature mask so that we perform segmentation