Skip to content

rust: add a Task abstraction. #410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 2, 2021
Merged

rust: add a Task abstraction. #410

merged 1 commit into from
Jul 2, 2021

Conversation

wedsonaf
Copy link

@wedsonaf wedsonaf commented Jul 1, 2021

This allows users of the kernel crate to get tasks (e.g., the current
task), access their properties (e.g., pid, group_leader, etc.), and hold
on to them if desired. When holding on to tasks, the reference count is
automatically incremented and decremented.

Signed-off-by: Wedson Almeida Filho [email protected]

@ksquirrel

This comment has been minimized.

Sign in to view
ojeda
ojeda reviewed Jul 1, 2021
View reviewed changes
bjorn3
bjorn3 reviewed Jul 1, 2021
View reviewed changes
bjorn3
bjorn3 reviewed Jul 1, 2021
View reviewed changes
nbdd0121
nbdd0121 reviewed Jul 1, 2021
View reviewed changes
@wedsonaf
rust: add a Task abstraction.
6556b37 
This allows users of the `kernel` crate to get tasks (e.g., the current
task), access their properties (e.g., pid, group_leader, etc.), and hold
on to them if desired. When holding on to tasks, the reference count is
automatically incremented and decremented.

Signed-off-by: Wedson Almeida Filho <[email protected]>
@ksquirrel
Copy link
Member

Review of 6556b37a7fc5:

  • ✔️ Commit 6556b37: Looks fine!

@wedsonaf
Copy link
Author

wedsonaf commented Jul 1, 2021
edited
Loading

Folks, thank you for the prompt reviews! Very much appreciated.

v1 -> v2

  • Renamed rust_helper_current to rust_helper_get_current.
  • Replaced pid with PID in comments.
  • Removed spurious n from comment.
  • Marked Task Sync as well.
  • Fixed typo in TaskRef description (the -> to).
  • Dropped the use of Cell to create a non-send phantom variable, using (&'a (), *mut ()) now.
  • Removed brackets around struct task_struct in the descriptor of TaskRef::from_ptr

This was referenced Jul 1, 2021
Merged
Merged
@ojeda ojeda merged commit 5f9ad6c into Rust-for-Linux:rust Jul 2, 2021
@wedsonaf wedsonaf deleted the task branch July 2, 2021 12:17
vtta pushed a commit to vtta/linux-archive that referenced this pull request Sep 29, 2023
@zhengchaoshao @klassert
ip6_vti: fix slab-use-after-free in decode_session6
9fd41f1 
When ipv6_vti device is set to the qdisc of the sfb type, the cb field
of the sent skb may be modified during enqueuing. Then,
slab-use-after-free may occur when ipv6_vti device sends IPv6 packets.

The stack information is as follows:
BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890
Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 Rust-for-Linux#410
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xd9/0x150
print_address_description.constprop.0+0x2c/0x3c0
kasan_report+0x11d/0x130
decode_session6+0x103f/0x1890
__xfrm_decode_session+0x54/0xb0
vti6_tnl_xmit+0x3e6/0x1ee0
dev_hard_start_xmit+0x187/0x700
sch_direct_xmit+0x1a3/0xc30
__qdisc_run+0x510/0x17a0
__dev_queue_xmit+0x2215/0x3b10
neigh_connected_output+0x3c2/0x550
ip6_finish_output2+0x55a/0x1550
ip6_finish_output+0x6b9/0x1270
ip6_output+0x1f1/0x540
ndisc_send_skb+0xa63/0x1890
ndisc_send_rs+0x132/0x6f0
addrconf_rs_timer+0x3f1/0x870
call_timer_fn+0x1a0/0x580
expire_timers+0x29b/0x4b0
run_timer_softirq+0x326/0x910
__do_softirq+0x1d4/0x905
irq_exit_rcu+0xb7/0x120
sysvec_apic_timer_interrupt+0x97/0xc0
</IRQ>
Allocated by task 9176:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
__kasan_slab_alloc+0x7f/0x90
kmem_cache_alloc_node+0x1cd/0x410
kmalloc_reserve+0x165/0x270
__alloc_skb+0x129/0x330
netlink_sendmsg+0x9b1/0xe30
sock_sendmsg+0xde/0x190
____sys_sendmsg+0x739/0x920
___sys_sendmsg+0x110/0x1b0
__sys_sendmsg+0xf7/0x1c0
do_syscall_64+0x39/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 9176:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0x160/0x1c0
slab_free_freelist_hook+0x11b/0x220
kmem_cache_free+0xf0/0x490
skb_free_head+0x17f/0x1b0
skb_release_data+0x59c/0x850
consume_skb+0xd2/0x170
netlink_unicast+0x54f/0x7f0
netlink_sendmsg+0x926/0xe30
sock_sendmsg+0xde/0x190
____sys_sendmsg+0x739/0x920
___sys_sendmsg+0x110/0x1b0
__sys_sendmsg+0xf7/0x1c0
do_syscall_64+0x39/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88802e08ed00
which belongs to the cache skbuff_small_head of size 640
The buggy address is located 194 bytes inside of
freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)

As commit f855691 ("xfrm6: Fix the nexthdr offset in
_decode_session6.") showed, xfrm_decode_session was originally intended
only for the receive path. IP6CB(skb)->nhoff is not set during
transmission. Therefore, set the cb field in the skb to 0 before
sending packets.

Fixes: f855691 ("xfrm6: Fix the nexthdr offset in _decode_session6.")
Signed-off-by: Zhengchao Shao <[email protected]>
Signed-off-by: Steffen Klassert <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ojeda ojeda ojeda left review comments

@nbdd0121 nbdd0121 nbdd0121 left review comments

@bjorn3 bjorn3 bjorn3 left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@wedsonaf @ksquirrel @ojeda @nbdd0121 @bjorn3