From patchwork Tue Jan 28 14:07:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 232602 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07FFDC35240 for ; Tue, 28 Jan 2020 14:31:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C929B2467E for ; Tue, 28 Jan 2020 14:31:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1580221898; bh=pHfKayhJkEP0+Z8XbmIK/wAEZYdTwzNIrJUxBK/RCGY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=fCzPysF2/aXOCVauN0X3iYwBESfxa9tqKXS6/d84NFxh+8aqoUYGTLCjgMU+Ru5eg 5NxoGJlRBXzRxAJnbkPohDhuEqvXCHEjuyTJRkHpX5cHcaDIlpAudV6GDzbswVTiMr LwdOuIAzvTbGp2y4L91x0nGlEHKedI7VormbIn84= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733302AbgA1O1j (ORCPT ); Tue, 28 Jan 2020 09:27:39 -0500 Received: from mail.kernel.org ([198.145.29.99]:55408 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733304AbgA1O1h (ORCPT ); Tue, 28 Jan 2020 09:27:37 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D990121739; Tue, 28 Jan 2020 14:27:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1580221655; bh=pHfKayhJkEP0+Z8XbmIK/wAEZYdTwzNIrJUxBK/RCGY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QvuQ7yvZtLheRmuoSnpvFeVtDUSBVPffGMqdxyuu2HCLH3p4es6MRl5XeEpA1B1sP sXzifK6s+uIr0syyAUxTkrbhGqoTH6TH11uXE38t0s/2mgbzQsOq5xXu8EInYnhCih dHIj8aHLhCxnxJ+JKuue6d9z/VyEQvEG8CfVkJZI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , Petar Penkov , Willem de Bruijn , "David S. Miller" Subject: [PATCH 4.19 21/92] tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() Date: Tue, 28 Jan 2020 15:07:49 +0100 Message-Id: <20200128135811.856076624@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200128135809.344954797@linuxfoundation.org> References: <20200128135809.344954797@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Dumazet [ Upstream commit 1efba987c48629c0c64703bb4ea76ca1a3771d17 ] If both IFF_NAPI_FRAGS mode and XDP are enabled, and the XDP program consumes the skb, we need to clear the napi.skb (or risk a use-after-free) and release the mutex (or risk a deadlock) WARNING: lock held when returning to user space! 5.5.0-rc6-syzkaller #0 Not tainted ------------------------------------------------ syz-executor.0/455 is leaving the kernel with locks still held! 1 lock held by syz-executor.0/455: #0: ffff888098f6e748 (&tfile->napi_mutex){+.+.}, at: tun_get_user+0x1604/0x3fc0 drivers/net/tun.c:1835 Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Petar Penkov Cc: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/tun.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1900,6 +1900,10 @@ drop: if (ret != XDP_PASS) { rcu_read_unlock(); local_bh_enable(); + if (frags) { + tfile->napi.skb = NULL; + mutex_unlock(&tfile->napi_mutex); + } return total_len; } }