| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Apr 2023 16:04:59 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Liang Chen <liangchen.linux@...il.com>
Cc: kuba@...nel.org, ilias.apalodimas@...aro.org, hawk@...nel.org,
davem@...emloft.net, pabeni@...hat.com, netdev@...r.kernel.org,
alexander.duyck@...il.com, linyunsheng@...wei.com
Subject: Re: [PATCH v3] skbuff: Fix a race between coalescing and releasing SKBs
On Tue, Apr 11, 2023 at 4:27 AM Liang Chen <liangchen.linux@...il.com> wrote:
>
> Commit 1effe8ca4e34 ("skbuff: fix coalescing for page_pool fragment
> recycling") allowed coalescing to proceed with non page pool page and page
> pool page when @from is cloned, i.e.
>
> to->pp_recycle --> false
> from->pp_recycle --> true
> skb_cloned(from) --> true
>
> However, it actually requires skb_cloned(@from) to hold true until
> coalescing finishes in this situation. If the other cloned SKB is
> released while the merging is in process, from_shinfo->nr_frags will be
> set to 0 toward the end of the function, causing the increment of frag
> page _refcount to be unexpectedly skipped resulting in inconsistent
> reference counts. Later when SKB(@to) is released, it frees the page
> directly even though the page pool page is still in use, leading to
> use-after-free or double-free errors. So it should be prohibited.
>
> Signed-off-by: Liang Chen <liangchen.linux@...il.com>
> ---
> Changes from v2:
> - switch back to the way v1 works and fix some style issues.
>
Reviewed-by: Eric Dumazet <edumazet@...gle.com>
Powered by blists - more mailing lists