Skip to content

Commit

Permalink
xsk: Fix use-after-free in failed shared_umem bind
Browse files Browse the repository at this point in the history 
Fix use-after-free when a shared umem bind fails. The code incorrectly
tried to free the allocated buffer pool both in the bind code and then
later also when the socket was released. Fix this by setting the
buffer pool pointer to NULL after the bind code has freed the pool, so
that the socket release code will not try to free the pool. This is
the same solution as the regular, non-shared umem code path has. This
was missing from the shared umem path.

Fixes: b5aea28 ("xsk: Add shared umem support between queue ids")
Reported-by: syzbot+5334f62e4d22804e646a@syzkaller.appspotmail.com
Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/1599032164-25684-1-git-send-email-magnus.karlsson@intel.com
  • Loading branch information
Magnus Karlsson authored and Daniel Borkmann committed Sep 2, 2020
1 parent 1d6fd78 commit 83cf5c6
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/xdp/xsk.c
View file
Original file line number Diff line number Diff line change
@@ -711,6 +711,7 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
dev, qid);
if (err) {
xp_destroy(xs->pool);
xs->pool = NULL;
sockfd_put(sock);
goto out_unlock;
}

0 comments on commit 83cf5c6

Please sign in to comment.