The put lowers the reference count to 0 and frees ctx, reading it afterwards is invalid. Move the put after the uses and determine the last use by the reference count being 1.
Fixes: 39e940d4abfa ("selftests/xsk: Destroy BPF resources only when ctx refcount drops to 0") Signed-off-by: Ian Rogers irogers@google.com --- tools/testing/selftests/bpf/xsk.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/bpf/xsk.c b/tools/testing/selftests/bpf/xsk.c index f2721a4ae7c5..0b3ff49c740d 100644 --- a/tools/testing/selftests/bpf/xsk.c +++ b/tools/testing/selftests/bpf/xsk.c @@ -1237,15 +1237,15 @@ void xsk_socket__delete(struct xsk_socket *xsk) ctx = xsk->ctx; umem = ctx->umem;
- xsk_put_ctx(ctx, true); - - if (!ctx->refcount) { + if (ctx->refcount == 1) { xsk_delete_bpf_maps(xsk); close(ctx->prog_fd); if (ctx->has_bpf_link) close(ctx->link_fd); }
+ xsk_put_ctx(ctx, true); + err = xsk_get_mmap_offsets(xsk->fd, &off); if (!err) { if (xsk->rx) {
On Thu, Sep 1, 2022 at 10:56 PM Ian Rogers irogers@google.com wrote:
The put lowers the reference count to 0 and frees ctx, reading it afterwards is invalid. Move the put after the uses and determine the last use by the reference count being 1.
Thanks for spotting and fixing this Ian.
Acked-by: Magnus Karlsson magnus.karlsson@intel.com
Fixes: 39e940d4abfa ("selftests/xsk: Destroy BPF resources only when ctx refcount drops to 0") Signed-off-by: Ian Rogers irogers@google.com
tools/testing/selftests/bpf/xsk.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/bpf/xsk.c b/tools/testing/selftests/bpf/xsk.c index f2721a4ae7c5..0b3ff49c740d 100644 --- a/tools/testing/selftests/bpf/xsk.c +++ b/tools/testing/selftests/bpf/xsk.c @@ -1237,15 +1237,15 @@ void xsk_socket__delete(struct xsk_socket *xsk) ctx = xsk->ctx; umem = ctx->umem;
xsk_put_ctx(ctx, true);if (!ctx->refcount) {
if (ctx->refcount == 1) { xsk_delete_bpf_maps(xsk); close(ctx->prog_fd); if (ctx->has_bpf_link) close(ctx->link_fd); }xsk_put_ctx(ctx, true);err = xsk_get_mmap_offsets(xsk->fd, &off); if (!err) { if (xsk->rx) {-- 2.37.2.789.g6183377224-goog
Hello:
This patch was applied to bpf/bpf-next.git (master) by Daniel Borkmann daniel@iogearbox.net:
On Thu, 1 Sep 2022 13:26:45 -0700 you wrote:
The put lowers the reference count to 0 and frees ctx, reading it afterwards is invalid. Move the put after the uses and determine the last use by the reference count being 1.
Fixes: 39e940d4abfa ("selftests/xsk: Destroy BPF resources only when ctx refcount drops to 0") Signed-off-by: Ian Rogers irogers@google.com
[...]
Here is the summary with links: - [v1] selftests/xsk: Avoid use-after-free on ctx https://git.kernel.org/bpf/bpf-next/c/af515a5587b8
You are awesome, thank you!
linux-kselftest-mirror@lists.linaro.org
-
Ian Rogers -
Magnus Karlsson -
patchwork-bot+netdevbpf@kernel.org