Re: [PATCH] tun: Fix use-after-free in tun_net_xmit

From: Cong Wang
Date: Tue Apr 30 2019 - 19:33:51 EST

Next message: Tobin C. Harding: "kobject_init_and_add() confusion"
Previous message: David Kozub: "[PATCH 0/3] block: sed-opal: add support for shadow MBR done flag and write"
In reply to: YueHaibing: "Re: [PATCH] tun: Fix use-after-free in tun_net_xmit"
Next in thread: Cong Wang: "Re: [PATCH] tun: Fix use-after-free in tun_net_xmit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Apr 29, 2019 at 7:44 PM YueHaibing <yuehaibing@xxxxxxxxxx> wrote:
>
> With SOCK_RCU_FREE tfile is ok ,
>
> but tfile->sk is freed by sock_put in __tun_detach, it will trgger

SOCK_RCU_FREE is exactly for sock and for sock_put(),
you need to look into sock_put() path to see where SOCK_RCU_FREE
is tested.

>
> use-after-free in tun_net_xmit if tun->numqueues check passed.

Why do you believe we still have use-after-free with SOCK_RCU_FREE?

tun_net_xmit() holds RCU read lock, so with SOCK_RCU_FREE,
the sock won't be freed until tun_net_xmit() releases RCU read lock.
This is just how RCU works...

Next message: Tobin C. Harding: "kobject_init_and_add() confusion"
Previous message: David Kozub: "[PATCH 0/3] block: sed-opal: add support for shadow MBR done flag and write"
In reply to: YueHaibing: "Re: [PATCH] tun: Fix use-after-free in tun_net_xmit"
Next in thread: Cong Wang: "Re: [PATCH] tun: Fix use-after-free in tun_net_xmit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]