On Fri, 13 Jul 2018 13:05:04 +0800
Jason Wang <[email protected]> wrote:
> On 2018年07月13日 12:24, Toshiaki Makita wrote:
> > On XDP_TX we need to free up the frame only when tun_xdp_tx() returns a
> > negative value. A positive value indicates that the packet is
> > successfully enqueued to the ptr_ring, so freeing the page causes
> > use-after-free.
> >
> > Fixes: 735fc4054b3a ("xdp: change ndo_xdp_xmit API to support bulking")
> > Signed-off-by: Toshiaki Makita <[email protected]>
> > ---
> > drivers/net/tun.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> > index a192a01..f5727ba 100644
> > --- a/drivers/net/tun.c
> > +++ b/drivers/net/tun.c
> > @@ -1688,7 +1688,7 @@ static struct sk_buff *tun_build_skb(struct
> > tun_struct *tun,
> > case XDP_TX:
> > get_page(alloc_frag->page);
> > alloc_frag->offset += buflen;
> > - if (tun_xdp_tx(tun->dev, &xdp))
> > + if (tun_xdp_tx(tun->dev, &xdp) < 0)
> > goto err_redirect;
> > rcu_read_unlock();
> > local_bh_enable();
>
> Acked-by: Jason Wang <[email protected]>
Acked-by: Jesper Dangaard Brouer <[email protected]>
Thanks for catching and fixing this!
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Principal Kernel Engineer at Red Hat
LinkedIn: http://www.linkedin.com/in/brouer
