[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dom0 crash in xenvif_rx_ring_slots_available

On 02.02.21 03:29, Igor Druzhinin wrote:

We've got a crash report from one of our customers (see below) running 4.4 
The functions seem to be the new that came with XSA-332 and nothing like that 
has been
reported before in their cloud. It appears there is some use-after-free 
happening on skb
in the following code fragment:

static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue)
         RING_IDX prod, cons;
         struct sk_buff *skb;
         int needed;

         skb = skb_peek(&queue->rx_queue);
         if (!skb)
                 return false;

         needed = DIV_ROUND_UP(skb->len, XEN_PAGE_SIZE);
         if (skb_is_gso(skb))  <== skb points to 0-ed memory

Has something similar been reported before? Any ideas?

I haven't seen that before, but I think your analysis regarding use
after free is correct. xenvif_rx_ring_slots_available() is now called
from the interrupt handler, too, so it needs to take the queue lock
before peeking at the queue.

Patch is coming.


Attachment: OpenPGP_0xB0DE9DD628BF132F.asc
Description: application/pgp-keys

Attachment: OpenPGP_signature
Description: OpenPGP digital signature



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.