ACK/Cmnt: [SRU][B/linux][PATCH] tap: fix use-after-free
stefan.bader at canonical.com
Fri Jul 31 09:12:40 UTC 2020
On 31.07.20 10:28, Juerg Haefliger wrote:
> From: "Michael S. Tsirkin" <mst at redhat.com>
> BugLink: https://bugs.launchpad.net/bugs/1889735
> Lockless access to __ptr_ring_full is only legal if ring is
> never resized, otherwise it might cause use-after free errors.
> Simply drop the lockless test, we'll drop the packet
> a bit later when produce fails.
> Fixes: 362899b8 ("macvtap: switch to use skb array")
> Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (backported from commit 88fae87327a2261cf8db078f6ce4e5a3e55b30b1)
> [juergh: __ptr_ring_full() -> __skb_array_full() due to lack of commit
> 5990a30510ed ("tun/tap: use ptr_ring instead of skb_array").]
> Signed-off-by: Juerg Haefliger <juergh at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
You seem to have tried using the form of regression potential that was asked by
the sru team. Though I am not quite understanding the impact. Not sure how
anyone from sru team would cope. Maybe "some network packets going missing"
would be better.
The testcase should be defined before a kernel with this is hitting proposed.
> drivers/net/tap.c | 3 ---
> 1 file changed, 3 deletions(-)
> diff --git a/drivers/net/tap.c b/drivers/net/tap.c
> index afbe5bec2c33..f8b44d395c2f 100644
> --- a/drivers/net/tap.c
> +++ b/drivers/net/tap.c
> @@ -330,9 +330,6 @@ rx_handler_result_t tap_handle_frame(struct sk_buff **pskb)
> if (!q)
> return RX_HANDLER_PASS;
> - if (__skb_array_full(&q->skb_array))
> - goto drop;
> skb_push(skb, ETH_HLEN);
> /* Apply the forward feature mask so that we perform segmentation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the kernel-team