From patchwork Thu Sep 1 20:26:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Rogers X-Patchwork-Id: 602032 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76CA6ECAAD3 for ; Thu, 1 Sep 2022 20:26:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234929AbiIAU0x (ORCPT ); Thu, 1 Sep 2022 16:26:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39652 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234925AbiIAU0w (ORCPT ); Thu, 1 Sep 2022 16:26:52 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E26AF7675C for ; Thu, 1 Sep 2022 13:26:50 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id f3-20020a056902038300b00696588a0e87so230763ybs.3 for ; Thu, 01 Sep 2022 13:26:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:mime-version:message-id:date:from:to:cc:subject :date; bh=DkZMlYUjqvBBA8dctsqSfJSvv6sYsaMxoePCT/ImrrM=; b=sL0Crh6kUMn+rRD3i6lhoOHAXnPjqJ/X+vQBYX//7iNtMAYH5Gw8X8b5hzUI8nZx6x prYIYY7he1lyXa/j1SUotodLeEtBKZ8hszOFOxGTNsFGIpaR/adqzBGkTRfqYJtXFynL ej0YWcMOI68q8bd589d8LanYilkFraLZ4ZezrWKGH4sOJ5jVW0aypKBpEen4k91NtgBk XRBxQfLc4UpR7vP+O2QxFodZWWeR8SzCbD0hF+LwEXrSsXQLI+vA90FJC069ksDznfMo u5kHJNtbq+rUaGoIeNSQB9YMiwB0DaINvHxP86ynTr3WOJdmA1u++cRVYTBIPqhRB5GI sFdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:mime-version:message-id:date:x-gm-message-state :from:to:cc:subject:date; bh=DkZMlYUjqvBBA8dctsqSfJSvv6sYsaMxoePCT/ImrrM=; b=f94AWC8XX19oZ2m3C1wmJIsm8V3GU8rxnvJwiRTFhULYZnkJMSDbV+f+PA2KtlLhGR dRu5/5TlYjkla20oCfErd64D3A/bJSMb9UPw/7oU/hHA7gXtM0emCAvDL/sRGZ+6B2tk mLidWhpMQutAm87uf649y9bWLlO0GmUPv+2ITGcm2h4IXJuOxLgecBVSXMck1SrfhsWi 0IW8CQm+C3Mz99N/MziZ5j55LUYDCIlOS4CwN/VTKZBBa/VO9svMGvNWK8yrFnW3QnLS TVdbNHTD7zLR//exrq2Xo2CBTk1xQ34whp0+9GZO4w3pJZQOEuNTvXIXhcjWcM/nYgOh tizA== X-Gm-Message-State: ACgBeo1Qv1kS9nSbFKbaVVYFwCov6fMIqA/pEPTmarJSZUrof6h7s1Qh exg0UX5T5rJ1lpKDnJR3As7J2dN0jsLO X-Google-Smtp-Source: AA6agR4QSPvpvHPWxR+rBUJrmSkA/ubTu8FM3TjSIH8gCd0xPRRaROY61KaJb+a7gEIGMUe5luEOmUODdbpV X-Received: from irogers.svl.corp.google.com ([2620:15c:2d4:203:ef7b:b6fc:77d6:e782]) (user=irogers job=sendgmr) by 2002:a81:c241:0:b0:336:f5a6:2e36 with SMTP id t1-20020a81c241000000b00336f5a62e36mr25011273ywg.123.1662064010200; Thu, 01 Sep 2022 13:26:50 -0700 (PDT) Date: Thu, 1 Sep 2022 13:26:45 -0700 Message-Id: <20220901202645.1463552-1-irogers@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.37.2.789.g6183377224-goog Subject: [PATCH v1] selftests/xsk: Avoid use-after-free on ctx From: Ian Rogers To: " =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= " , Magnus Karlsson , Maciej Fijalkowski , Jonathan Lemon , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Mykola Lysenko , Shuah Khan , netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Ian Rogers Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org The put lowers the reference count to 0 and frees ctx, reading it afterwards is invalid. Move the put after the uses and determine the last use by the reference count being 1. Fixes: 39e940d4abfa ("selftests/xsk: Destroy BPF resources only when ctx refcount drops to 0") Signed-off-by: Ian Rogers --- tools/testing/selftests/bpf/xsk.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/bpf/xsk.c b/tools/testing/selftests/bpf/xsk.c index f2721a4ae7c5..0b3ff49c740d 100644 --- a/tools/testing/selftests/bpf/xsk.c +++ b/tools/testing/selftests/bpf/xsk.c @@ -1237,15 +1237,15 @@ void xsk_socket__delete(struct xsk_socket *xsk) ctx = xsk->ctx; umem = ctx->umem; - xsk_put_ctx(ctx, true); - - if (!ctx->refcount) { + if (ctx->refcount == 1) { xsk_delete_bpf_maps(xsk); close(ctx->prog_fd); if (ctx->has_bpf_link) close(ctx->link_fd); } + xsk_put_ctx(ctx, true); + err = xsk_get_mmap_offsets(xsk->fd, &off); if (!err) { if (xsk->rx) {