tun: Fix use-after-free on XDP_TX · tjh.dev/kernel@6e8cfd6

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

tun: Fix use-after-free on XDP_TX

On XDP_TX we need to free up the frame only when tun_xdp_tx() returns a
negative value. A positive value indicates that the packet is
successfully enqueued to the ptr_ring, so freeing the page causes
use-after-free.

Fixes: 735fc4054b3a ("xdp: change ndo_xdp_xmit API to support bulking")
Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Toshiaki Makita and committed by

David S. Miller 7 years ago 6e8cfd6d 9f80a072

+1 -1

1 changed file

expand all

drivers

net

tun.c

+1 -1

drivers/net/tun.c

··· 1688 1688 case XDP_TX: 1689 1689 get_page(alloc_frag->page); 1690 1690 alloc_frag->offset += buflen; 1691 - if (tun_xdp_tx(tun->dev, &xdp)) 1691 + if (tun_xdp_tx(tun->dev, &xdp) < 0) 1692 1692 goto err_redirect; 1693 1693 rcu_read_unlock(); 1694 1694 local_bh_enable();