From: Sasha Levin <sashal@kernel•org>
To: linux-kernel@vger•kernel.org, stable@vger•kernel.org
Cc: "Björn Töpel" <bjorn.topel@intel•com>,
"William Tu" <u9012063@gmail•com>,
"Alexei Starovoitov" <ast@kernel•org>,
"Sasha Levin" <sashal@kernel•org>,
netdev@vger•kernel.org, bpf@vger•kernel.org,
xdp-newbies@vger•kernel.org
Subject: [PATCH AUTOSEL 5.1 014/375] libbpf: fix invalid munmap call
Date: Wed, 22 May 2019 15:15:14 -0400 [thread overview]
Message-ID: <20190522192115.22666-14-sashal@kernel.org> (raw)
In-Reply-To: <20190522192115.22666-1-sashal@kernel.org>
From: Björn Töpel <bjorn.topel@intel•com>
[ Upstream commit 0e6741f092979535d159d5a851f12c88bfb7cb9a ]
When unmapping the AF_XDP memory regions used for the rings, an
invalid address was passed to the munmap() calls. Instead of passing
the beginning of the memory region, the descriptor region was passed
to munmap.
When the userspace application tried to tear down an AF_XDP socket,
the operation failed and the application would still have a reference
to socket it wished to get rid of.
Reported-by: William Tu <u9012063@gmail•com>
Fixes: 1cad07884239 ("libbpf: add support for using AF_XDP sockets")
Signed-off-by: Björn Töpel <bjorn.topel@intel•com>
Tested-by: William Tu <u9012063@gmail•com>
Signed-off-by: Alexei Starovoitov <ast@kernel•org>
Signed-off-by: Sasha Levin <sashal@kernel•org>
---
tools/lib/bpf/xsk.c | 77 +++++++++++++++++++++++----------------------
1 file changed, 40 insertions(+), 37 deletions(-)
diff --git a/tools/lib/bpf/xsk.c b/tools/lib/bpf/xsk.c
index 8d0078b65486f..af5f310ecca1c 100644
--- a/tools/lib/bpf/xsk.c
+++ b/tools/lib/bpf/xsk.c
@@ -248,8 +248,7 @@ int xsk_umem__create(struct xsk_umem **umem_ptr, void *umem_area, __u64 size,
return 0;
out_mmap:
- munmap(umem->fill,
- off.fr.desc + umem->config.fill_size * sizeof(__u64));
+ munmap(map, off.fr.desc + umem->config.fill_size * sizeof(__u64));
out_socket:
close(umem->fd);
out_umem_alloc:
@@ -523,11 +522,11 @@ int xsk_socket__create(struct xsk_socket **xsk_ptr, const char *ifname,
struct xsk_ring_cons *rx, struct xsk_ring_prod *tx,
const struct xsk_socket_config *usr_config)
{
+ void *rx_map = NULL, *tx_map = NULL;
struct sockaddr_xdp sxdp = {};
struct xdp_mmap_offsets off;
struct xsk_socket *xsk;
socklen_t optlen;
- void *map;
int err;
if (!umem || !xsk_ptr || !rx || !tx)
@@ -593,40 +592,40 @@ int xsk_socket__create(struct xsk_socket **xsk_ptr, const char *ifname,
}
if (rx) {
- map = xsk_mmap(NULL, off.rx.desc +
- xsk->config.rx_size * sizeof(struct xdp_desc),
- PROT_READ | PROT_WRITE,
- MAP_SHARED | MAP_POPULATE,
- xsk->fd, XDP_PGOFF_RX_RING);
- if (map == MAP_FAILED) {
+ rx_map = xsk_mmap(NULL, off.rx.desc +
+ xsk->config.rx_size * sizeof(struct xdp_desc),
+ PROT_READ | PROT_WRITE,
+ MAP_SHARED | MAP_POPULATE,
+ xsk->fd, XDP_PGOFF_RX_RING);
+ if (rx_map == MAP_FAILED) {
err = -errno;
goto out_socket;
}
rx->mask = xsk->config.rx_size - 1;
rx->size = xsk->config.rx_size;
- rx->producer = map + off.rx.producer;
- rx->consumer = map + off.rx.consumer;
- rx->ring = map + off.rx.desc;
+ rx->producer = rx_map + off.rx.producer;
+ rx->consumer = rx_map + off.rx.consumer;
+ rx->ring = rx_map + off.rx.desc;
}
xsk->rx = rx;
if (tx) {
- map = xsk_mmap(NULL, off.tx.desc +
- xsk->config.tx_size * sizeof(struct xdp_desc),
- PROT_READ | PROT_WRITE,
- MAP_SHARED | MAP_POPULATE,
- xsk->fd, XDP_PGOFF_TX_RING);
- if (map == MAP_FAILED) {
+ tx_map = xsk_mmap(NULL, off.tx.desc +
+ xsk->config.tx_size * sizeof(struct xdp_desc),
+ PROT_READ | PROT_WRITE,
+ MAP_SHARED | MAP_POPULATE,
+ xsk->fd, XDP_PGOFF_TX_RING);
+ if (tx_map == MAP_FAILED) {
err = -errno;
goto out_mmap_rx;
}
tx->mask = xsk->config.tx_size - 1;
tx->size = xsk->config.tx_size;
- tx->producer = map + off.tx.producer;
- tx->consumer = map + off.tx.consumer;
- tx->ring = map + off.tx.desc;
+ tx->producer = tx_map + off.tx.producer;
+ tx->consumer = tx_map + off.tx.consumer;
+ tx->ring = tx_map + off.tx.desc;
tx->cached_cons = xsk->config.tx_size;
}
xsk->tx = tx;
@@ -653,13 +652,11 @@ int xsk_socket__create(struct xsk_socket **xsk_ptr, const char *ifname,
out_mmap_tx:
if (tx)
- munmap(xsk->tx,
- off.tx.desc +
+ munmap(tx_map, off.tx.desc +
xsk->config.tx_size * sizeof(struct xdp_desc));
out_mmap_rx:
if (rx)
- munmap(xsk->rx,
- off.rx.desc +
+ munmap(rx_map, off.rx.desc +
xsk->config.rx_size * sizeof(struct xdp_desc));
out_socket:
if (--umem->refcount)
@@ -684,10 +681,12 @@ int xsk_umem__delete(struct xsk_umem *umem)
optlen = sizeof(off);
err = getsockopt(umem->fd, SOL_XDP, XDP_MMAP_OFFSETS, &off, &optlen);
if (!err) {
- munmap(umem->fill->ring,
- off.fr.desc + umem->config.fill_size * sizeof(__u64));
- munmap(umem->comp->ring,
- off.cr.desc + umem->config.comp_size * sizeof(__u64));
+ (void)munmap(umem->fill->ring - off.fr.desc,
+ off.fr.desc +
+ umem->config.fill_size * sizeof(__u64));
+ (void)munmap(umem->comp->ring - off.cr.desc,
+ off.cr.desc +
+ umem->config.comp_size * sizeof(__u64));
}
close(umem->fd);
@@ -698,6 +697,7 @@ int xsk_umem__delete(struct xsk_umem *umem)
void xsk_socket__delete(struct xsk_socket *xsk)
{
+ size_t desc_sz = sizeof(struct xdp_desc);
struct xdp_mmap_offsets off;
socklen_t optlen;
int err;
@@ -710,14 +710,17 @@ void xsk_socket__delete(struct xsk_socket *xsk)
optlen = sizeof(off);
err = getsockopt(xsk->fd, SOL_XDP, XDP_MMAP_OFFSETS, &off, &optlen);
if (!err) {
- if (xsk->rx)
- munmap(xsk->rx->ring,
- off.rx.desc +
- xsk->config.rx_size * sizeof(struct xdp_desc));
- if (xsk->tx)
- munmap(xsk->tx->ring,
- off.tx.desc +
- xsk->config.tx_size * sizeof(struct xdp_desc));
+ if (xsk->rx) {
+ (void)munmap(xsk->rx->ring - off.rx.desc,
+ off.rx.desc +
+ xsk->config.rx_size * desc_sz);
+ }
+ if (xsk->tx) {
+ (void)munmap(xsk->tx->ring - off.tx.desc,
+ off.tx.desc +
+ xsk->config.tx_size * desc_sz);
+ }
+
}
xsk->umem->refcount--;
--
2.20.1
next prev parent reply other threads:[~2019-05-22 20:04 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20190522192115.22666-1-sashal@kernel.org>
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 002/375] cxgb4: Fix error path in cxgb4_init_module Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 010/375] batman-adv: mcast: fix multicast tt/tvlv worker locking Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 011/375] ip6: fix skb leak in ip6frag_expire_frag_queue() Sasha Levin
2019-05-23 7:47 ` Stefan Bader
2019-05-29 18:48 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 012/375] tools/bpf: fix perf build error with uClibc (seen on ARC) Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 013/375] i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c Sasha Levin
2019-05-22 19:15 ` Sasha Levin [this message]
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 015/375] selftests/bpf: set RLIMIT_MEMLOCK properly for test_libbpf_open.c Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 016/375] bpftool: exclude bash-completion/bpftool from .gitignore pattern Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 017/375] ice: Separate if conditions for ice_set_features() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 018/375] ice: Preserve VLAN Rx stripping settings Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 022/375] net: ena: gcc 8: fix compilation warning Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 023/375] net: ena: fix: set freed objects to NULL to avoid failing future allocations Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 024/375] hv_netvsc: fix race that may miss tx queue wakeup Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 026/375] Bluetooth: Ignore CC events not matching the last HCI command Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 040/375] net/mlx5: E-Switch, Use atomic rep state to serialize state change Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 041/375] brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 047/375] mt76: remove mt76_queue dependency from tx_queue_skb function pointer Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 055/375] x86/modules: Avoid breaking W^X while loading modules Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 060/375] iwlwifi: pcie: don't crash on invalid RX interrupt Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 067/375] net: ethernet: ti: cpsw: fix allmulti cfg in dual_mac mode Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 069/375] net: hns3: fix pause configure fail problem Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 070/375] net: hns3: fix for TX clean num when cleaning TX BD Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 071/375] net: phy: improve genphy_soft_reset Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 074/375] net: hns3: use atomic_t replace u32 for arq's count Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 076/375] mac80211/cfg80211: update bss channel on channel switch Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190522192115.22666-14-sashal@kernel.org \
--to=sashal@kernel$(echo .)org \
--cc=ast@kernel$(echo .)org \
--cc=bjorn.topel@intel$(echo .)com \
--cc=bpf@vger$(echo .)kernel.org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=netdev@vger$(echo .)kernel.org \
--cc=stable@vger$(echo .)kernel.org \
--cc=u9012063@gmail$(echo .)com \
--cc=xdp-newbies@vger$(echo .)kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox