Re: [PATCH] net: fix skb use after free in netpoll_send_skb_on_dev
From: David Miller
Date: Sun Aug 25 2019 - 22:48:16 EST
From: Feng Sun <loyou85@xxxxxxxxx>
Date: Sat, 24 Aug 2019 00:32:00 +0800
> After commit baeababb5b85d5c4e6c917efe2a1504179438d3b
> ("tun: return NET_XMIT_DROP for dropped packets"),
> when tun_net_xmit drop packets, it will free skb and return NET_XMIT_DROP,
> netpoll_send_skb_on_dev will run into two use after free cases:
I don't know what to do here.
Really, the intention of the design is that the only valid
->ndo_start_xmit() values are those with macro names fitting the
pattern NETDEV_TX_*, which means only NETDEV_TX_OK and NETDEV_TX_BUSY
NET_XMIT_* values are for qdisc ->enqueue() methods.
Note, particularly, that when ->ndo_start_xmit() values are propagated
through ->enqueue() calls they get masked out with NET_XMIT_MASK.
However, I see that most of the code doing enqueueing and invocation
of ->ndo_start_xmit() use the dev_xmit_complete() helper to check this
So probably that is what netpoll should be using as well.