Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Sowmini Varadhan
On (02/10/17 10:00), Cong Wang wrote: > My understanding about the race here is packet_release() doesn't > wait for flying packets correctly, which leads to a flying packet still > refers to the struct sock which is being released. > > This could happen because struct packet_fanout is refcn'ted,

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Sowmini Varadhan
On (02/10/17 10:00), Cong Wang wrote: > My understanding about the race here is packet_release() doesn't > wait for flying packets correctly, which leads to a flying packet still > refers to the struct sock which is being released. > > This could happen because struct packet_fanout is refcn'ted,

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Cong Wang
On Fri, Feb 10, 2017 at 10:02 AM, Eric Dumazet wrote: > On Fri, 2017-02-10 at 09:59 -0800, Eric Dumazet wrote: >> On Fri, 2017-02-10 at 09:49 -0800, Cong Wang wrote: >> > On Thu, Feb 9, 2017 at 7:23 PM, Eric Dumazet >> > wrote: >> > > On Thu,

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Cong Wang
On Fri, Feb 10, 2017 at 10:02 AM, Eric Dumazet wrote: > On Fri, 2017-02-10 at 09:59 -0800, Eric Dumazet wrote: >> On Fri, 2017-02-10 at 09:49 -0800, Cong Wang wrote: >> > On Thu, Feb 9, 2017 at 7:23 PM, Eric Dumazet >> > wrote: >> > > On Thu, 2017-02-09 at 19:19 -0800, Eric Dumazet wrote: >> >

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Eric Dumazet
On Fri, 2017-02-10 at 10:02 -0800, Cong Wang wrote: > I don't have to give a 100% correct patch to prove my explanation > of the crash. At least it makes more sense than yours... I will submit it regardless of what you think. It solves _another_ issue, one of of 10 in af_packet.c

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Eric Dumazet
On Fri, 2017-02-10 at 10:02 -0800, Cong Wang wrote: > I don't have to give a 100% correct patch to prove my explanation > of the crash. At least it makes more sense than yours... I will submit it regardless of what you think. It solves _another_ issue, one of of 10 in af_packet.c

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Eric Dumazet
On Fri, 2017-02-10 at 09:59 -0800, Eric Dumazet wrote: > On Fri, 2017-02-10 at 09:49 -0800, Cong Wang wrote: > > On Thu, Feb 9, 2017 at 7:23 PM, Eric Dumazet wrote: > > > On Thu, 2017-02-09 at 19:19 -0800, Eric Dumazet wrote: > > > > > >> More likely the bug is in

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Eric Dumazet
On Fri, 2017-02-10 at 09:59 -0800, Eric Dumazet wrote: > On Fri, 2017-02-10 at 09:49 -0800, Cong Wang wrote: > > On Thu, Feb 9, 2017 at 7:23 PM, Eric Dumazet wrote: > > > On Thu, 2017-02-09 at 19:19 -0800, Eric Dumazet wrote: > > > > > >> More likely the bug is in fanout_add(), with a buggy

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Cong Wang
On Fri, Feb 10, 2017 at 9:59 AM, Eric Dumazet wrote: > On Fri, 2017-02-10 at 09:49 -0800, Cong Wang wrote: >> On Thu, Feb 9, 2017 at 7:23 PM, Eric Dumazet wrote: >> > On Thu, 2017-02-09 at 19:19 -0800, Eric Dumazet wrote: >> > >> >> More likely the

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Cong Wang
On Fri, Feb 10, 2017 at 9:59 AM, Eric Dumazet wrote: > On Fri, 2017-02-10 at 09:49 -0800, Cong Wang wrote: >> On Thu, Feb 9, 2017 at 7:23 PM, Eric Dumazet wrote: >> > On Thu, 2017-02-09 at 19:19 -0800, Eric Dumazet wrote: >> > >> >> More likely the bug is in fanout_add(), with a buggy sequence

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Cong Wang
On Thu, Feb 9, 2017 at 7:33 PM, Sowmini Varadhan wrote: > On (02/09/17 19:19), Eric Dumazet wrote: >> >> More likely the bug is in fanout_add(), with a buggy sequence in error >> case, and not correct locking. >> >> kfree(po->rollover); >> po->rollover = NULL; >> >>

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Cong Wang
On Thu, Feb 9, 2017 at 7:33 PM, Sowmini Varadhan wrote: > On (02/09/17 19:19), Eric Dumazet wrote: >> >> More likely the bug is in fanout_add(), with a buggy sequence in error >> case, and not correct locking. >> >> kfree(po->rollover); >> po->rollover = NULL; >> >> Two cpus entering fanout_add()

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Eric Dumazet
On Fri, 2017-02-10 at 09:49 -0800, Cong Wang wrote: > On Thu, Feb 9, 2017 at 7:23 PM, Eric Dumazet wrote: > > On Thu, 2017-02-09 at 19:19 -0800, Eric Dumazet wrote: > > > >> More likely the bug is in fanout_add(), with a buggy sequence in error > >> case, and not correct

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Eric Dumazet
On Fri, 2017-02-10 at 09:49 -0800, Cong Wang wrote: > On Thu, Feb 9, 2017 at 7:23 PM, Eric Dumazet wrote: > > On Thu, 2017-02-09 at 19:19 -0800, Eric Dumazet wrote: > > > >> More likely the bug is in fanout_add(), with a buggy sequence in error > >> case, and not correct locking. > >> > >>

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Cong Wang
On Thu, Feb 9, 2017 at 7:23 PM, Eric Dumazet wrote: > On Thu, 2017-02-09 at 19:19 -0800, Eric Dumazet wrote: > >> More likely the bug is in fanout_add(), with a buggy sequence in error >> case, and not correct locking. >> >> kfree(po->rollover); >> po->rollover = NULL; >>

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-10 Thread Cong Wang
On Thu, Feb 9, 2017 at 7:23 PM, Eric Dumazet wrote: > On Thu, 2017-02-09 at 19:19 -0800, Eric Dumazet wrote: > >> More likely the bug is in fanout_add(), with a buggy sequence in error >> case, and not correct locking. >> >> kfree(po->rollover); >> po->rollover = NULL; >> >> Two cpus entering

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Eric Dumazet
On Thu, Feb 9, 2017 at 7:33 PM, Sowmini Varadhan wrote: > On (02/09/17 19:19), Eric Dumazet wrote: >> >> More likely the bug is in fanout_add(), with a buggy sequence in error >> case, and not correct locking. >> >> kfree(po->rollover); >> po->rollover = NULL; >> >>

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Eric Dumazet
On Thu, Feb 9, 2017 at 7:33 PM, Sowmini Varadhan wrote: > On (02/09/17 19:19), Eric Dumazet wrote: >> >> More likely the bug is in fanout_add(), with a buggy sequence in error >> case, and not correct locking. >> >> kfree(po->rollover); >> po->rollover = NULL; >> >> Two cpus entering fanout_add()

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Sowmini Varadhan
On (02/09/17 19:19), Eric Dumazet wrote: > > More likely the bug is in fanout_add(), with a buggy sequence in error > case, and not correct locking. > > kfree(po->rollover); > po->rollover = NULL; > > Two cpus entering fanout_add() (using the same af_packet socket, > syzkaller courtesy...)

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Sowmini Varadhan
On (02/09/17 19:19), Eric Dumazet wrote: > > More likely the bug is in fanout_add(), with a buggy sequence in error > case, and not correct locking. > > kfree(po->rollover); > po->rollover = NULL; > > Two cpus entering fanout_add() (using the same af_packet socket, > syzkaller courtesy...)

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Eric Dumazet
On Thu, 2017-02-09 at 19:19 -0800, Eric Dumazet wrote: > More likely the bug is in fanout_add(), with a buggy sequence in error > case, and not correct locking. > > kfree(po->rollover); > po->rollover = NULL; > > Two cpus entering fanout_add() (using the same af_packet socket, > syzkaller

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Eric Dumazet
On Thu, 2017-02-09 at 19:19 -0800, Eric Dumazet wrote: > More likely the bug is in fanout_add(), with a buggy sequence in error > case, and not correct locking. > > kfree(po->rollover); > po->rollover = NULL; > > Two cpus entering fanout_add() (using the same af_packet socket, > syzkaller

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Eric Dumazet
On Thu, 2017-02-09 at 17:24 -0800, Cong Wang wrote: > On Thu, Feb 9, 2017 at 5:14 AM, Dmitry Vyukov wrote: > > Hello, > > > > I've got the following use-after-free report in packet_rcv_fanout > > while running syzkaller fuzzer on linux-next > >

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Eric Dumazet
On Thu, 2017-02-09 at 17:24 -0800, Cong Wang wrote: > On Thu, Feb 9, 2017 at 5:14 AM, Dmitry Vyukov wrote: > > Hello, > > > > I've got the following use-after-free report in packet_rcv_fanout > > while running syzkaller fuzzer on linux-next > > e3e6c5f3544c5d05c6b3b309a34f4f2c3537e993. So far it

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Cong Wang
On Thu, Feb 9, 2017 at 5:14 AM, Dmitry Vyukov wrote: > Hello, > > I've got the following use-after-free report in packet_rcv_fanout > while running syzkaller fuzzer on linux-next > e3e6c5f3544c5d05c6b3b309a34f4f2c3537e993. So far it happened once and > is not reproducible, but

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Cong Wang
On Thu, Feb 9, 2017 at 5:14 AM, Dmitry Vyukov wrote: > Hello, > > I've got the following use-after-free report in packet_rcv_fanout > while running syzkaller fuzzer on linux-next > e3e6c5f3544c5d05c6b3b309a34f4f2c3537e993. So far it happened once and > is not reproducible, but maybe the stacks

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Eric Dumazet
On Thu, Feb 9, 2017 at 7:12 AM, Sowmini Varadhan wrote: > On (02/09/17 14:14), Dmitry Vyukov wrote: >> >> Call Trace: >: >> packet_rcv_has_room+0x25/0xb0 net/packet/af_packet.c:1308 >> fanout_demux_rollover+0x3bb/0x6b0 net/packet/af_packet.c:1388 >>

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Eric Dumazet
On Thu, Feb 9, 2017 at 7:12 AM, Sowmini Varadhan wrote: > On (02/09/17 14:14), Dmitry Vyukov wrote: >> >> Call Trace: >: >> packet_rcv_has_room+0x25/0xb0 net/packet/af_packet.c:1308 >> fanout_demux_rollover+0x3bb/0x6b0 net/packet/af_packet.c:1388 >> packet_rcv_fanout+0x674/0x800

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Sowmini Varadhan
On (02/09/17 14:14), Dmitry Vyukov wrote: > > Call Trace: : > packet_rcv_has_room+0x25/0xb0 net/packet/af_packet.c:1308 > fanout_demux_rollover+0x3bb/0x6b0 net/packet/af_packet.c:1388 > packet_rcv_fanout+0x674/0x800 net/packet/af_packet.c:1490 > dev_queue_xmit_nit+0x73a/0xa90

Re: net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Sowmini Varadhan
On (02/09/17 14:14), Dmitry Vyukov wrote: > > Call Trace: : > packet_rcv_has_room+0x25/0xb0 net/packet/af_packet.c:1308 > fanout_demux_rollover+0x3bb/0x6b0 net/packet/af_packet.c:1388 > packet_rcv_fanout+0x674/0x800 net/packet/af_packet.c:1490 > dev_queue_xmit_nit+0x73a/0xa90

net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Dmitry Vyukov
Hello, I've got the following use-after-free report in packet_rcv_fanout while running syzkaller fuzzer on linux-next e3e6c5f3544c5d05c6b3b309a34f4f2c3537e993. So far it happened once and is not reproducible, but maybe the stacks will allow you to figure out what happens. BUG: KASAN:

net/packet: use-after-free in packet_rcv_fanout

2017-02-09 Thread Dmitry Vyukov
Hello, I've got the following use-after-free report in packet_rcv_fanout while running syzkaller fuzzer on linux-next e3e6c5f3544c5d05c6b3b309a34f4f2c3537e993. So far it happened once and is not reproducible, but maybe the stacks will allow you to figure out what happens. BUG: KASAN: