Re: [PATCH] net: fix skb use after free in netpoll_send_skb_on_dev

From: David Miller
Date: Sun Aug 25 2019 - 22:48:16 EST

Next message: Yuehaibing: "Re: [PATCH -next] iio: st_sensors: Fix build error"
Previous message: Rundong Ge: "Re: [PATCH] bridge:fragmented packets dropped by bridge"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Feng Sun <loyou85@xxxxxxxxx>
Date: Sat, 24 Aug 2019 00:32:00 +0800

> After commit baeababb5b85d5c4e6c917efe2a1504179438d3b
> ("tun: return NET_XMIT_DROP for dropped packets"),
> when tun_net_xmit drop packets, it will free skb and return NET_XMIT_DROP,
> netpoll_send_skb_on_dev will run into two use after free cases:

I don't know what to do here.

Really, the intention of the design is that the only valid
->ndo_start_xmit() values are those with macro names fitting the
pattern NETDEV_TX_*, which means only NETDEV_TX_OK and NETDEV_TX_BUSY
are valid.

NET_XMIT_* values are for qdisc ->enqueue() methods.

Note, particularly, that when ->ndo_start_xmit() values are propagated
through ->enqueue() calls they get masked out with NET_XMIT_MASK.

However, I see that most of the code doing enqueueing and invocation
of ->ndo_start_xmit() use the dev_xmit_complete() helper to check this
condition.

So probably that is what netpoll should be using as well.

Next message: Yuehaibing: "Re: [PATCH -next] iio: st_sensors: Fix build error"
Previous message: Rundong Ge: "Re: [PATCH] bridge:fragmented packets dropped by bridge"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]