Re: dom0 crash in xenvif_rx_ring_slots_available

[Jürgen Groß <jgross@xxxxxxxx>]

On 02.02.21 03:29, Igor Druzhinin wrote:
> Juergen,
>
> We've got a crash report from one of our customers (see below) running 4.4 
> kernel.
> The functions seem to be the new that came with XSA-332 and nothing like that 
> has been
> reported before in their cloud. It appears there is some use-after-free 
> happening on skb
> in the following code fragment:
>
> static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue)
> {
>          RING_IDX prod, cons;
>          struct sk_buff *skb;
>          int needed;
>
>          skb = skb_peek(&queue->rx_queue);
>          if (!skb)
>                  return false;
>
>          needed = DIV_ROUND_UP(skb->len, XEN_PAGE_SIZE);
>          if (skb_is_gso(skb))  <== skb points to 0-ed memory
>                  needed++;
>
> Has something similar been reported before? Any ideas?
I haven't seen that before, but I think your analysis regarding use
after free is correct. xenvif_rx_ring_slots_available() is now called
from the interrupt handler, too, so it needs to take the queue lock
before peeking at the queue.

Patch is coming.


Juergen

Attachment: OpenPGP_0xB0DE9DD628BF132F.asc
Description: application/pgp-keys

Attachment: OpenPGP_signature
Description: OpenPGP digital signature