On Wed, 19 Aug 2020 15:13:49 +0200
Lorenzo Bianconi <lorenzo@xxxxxxxxxx> wrote:
> diff --git a/net/core/xdp.c b/net/core/xdp.c
> index 884f140fc3be..006b24b5d276 100644
> --- a/net/core/xdp.c
> +++ b/net/core/xdp.c
> @@ -370,19 +370,55 @@ static void __xdp_return(void *data, struct xdp_mem_info *mem, bool napi_direct)
>
> void xdp_return_frame(struct xdp_frame *xdpf)
> {
> + struct skb_shared_info *sinfo;
> + int i;
> +
> __xdp_return(xdpf->data, &xdpf->mem, false);
There is a use-after-free race here. The xdpf->data contains the
shared_info (xdp_get_shared_info_from_frame(xdpf)). Thus you cannot
free/return the page and use this data area below.
> + if (!xdpf->mb)
> + return;
> +
> + sinfo = xdp_get_shared_info_from_frame(xdpf);
> + for (i = 0; i < sinfo->nr_frags; i++) {
> + struct page *page = skb_frag_page(&sinfo->frags[i]);
> +
> + __xdp_return(page_address(page), &xdpf->mem, false);
> + }
> }
> EXPORT_SYMBOL_GPL(xdp_return_frame);
>
> void xdp_return_frame_rx_napi(struct xdp_frame *xdpf)
> {
> + struct skb_shared_info *sinfo;
> + int i;
> +
> __xdp_return(xdpf->data, &xdpf->mem, true);
Same issue.
> + if (!xdpf->mb)
> + return;
> +
> + sinfo = xdp_get_shared_info_from_frame(xdpf);
> + for (i = 0; i < sinfo->nr_frags; i++) {
> + struct page *page = skb_frag_page(&sinfo->frags[i]);
> +
> + __xdp_return(page_address(page), &xdpf->mem, true);
> + }
> }
> EXPORT_SYMBOL_GPL(xdp_return_frame_rx_napi);
>
> void xdp_return_buff(struct xdp_buff *xdp)
> {
> + struct skb_shared_info *sinfo;
> + int i;
> +
> __xdp_return(xdp->data, &xdp->rxq->mem, true);
Same issue.
> + if (!xdp->mb)
> + return;
> +
> + sinfo = xdp_get_shared_info_from_buff(xdp);
> + for (i = 0; i < sinfo->nr_frags; i++) {
> + struct page *page = skb_frag_page(&sinfo->frags[i]);
> +
> + __xdp_return(page_address(page), &xdp->rxq->mem, true);
> + }
> }
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Principal Kernel Engineer at Red Hat
LinkedIn: http://www.linkedin.com/in/brouer
