summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMagnus Karlsson <magnus.karlsson@intel.com>2020-09-02 09:36:04 +0200
committerDaniel Borkmann <daniel@iogearbox.net>2020-09-02 23:37:19 +0200
commit83cf5c68d663fc78ce529c41bf24f9f6be88bef4 (patch)
tree01b95b3eb5bb1654b9eb7f13ed425f2f5b1db5cf
parent1d6fd78a213ee3874f46bdce083b7a41d208886d (diff)
downloadlwn-83cf5c68d663fc78ce529c41bf24f9f6be88bef4.tar.gz
lwn-83cf5c68d663fc78ce529c41bf24f9f6be88bef4.zip
xsk: Fix use-after-free in failed shared_umem bind
Fix use-after-free when a shared umem bind fails. The code incorrectly tried to free the allocated buffer pool both in the bind code and then later also when the socket was released. Fix this by setting the buffer pool pointer to NULL after the bind code has freed the pool, so that the socket release code will not try to free the pool. This is the same solution as the regular, non-shared umem code path has. This was missing from the shared umem path. Fixes: b5aea28dca13 ("xsk: Add shared umem support between queue ids") Reported-by: syzbot+5334f62e4d22804e646a@syzkaller.appspotmail.com Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/1599032164-25684-1-git-send-email-magnus.karlsson@intel.com
-rw-r--r--net/xdp/xsk.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 07c32276c527..3895697f8540 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -711,6 +711,7 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
dev, qid);
if (err) {
xp_destroy(xs->pool);
+ xs->pool = NULL;
sockfd_put(sock);
goto out_unlock;
}