leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
27463ad99f
linux/drivers
History
Yunsheng Lin 27463ad99f net: hns: Fix a skb used after free bug 
skb maybe freed in hns_nic_net_xmit_hw() and return NETDEV_TX_OK,
which cause hns_nic_net_xmit to use a freed skb.

BUG: KASAN: use-after-free in hns_nic_net_xmit_hw+0x62c/0x940...
	[17659.112635]      alloc_debug_processing+0x18c/0x1a0
	[17659.117208]      __slab_alloc+0x52c/0x560
	[17659.120909]      kmem_cache_alloc_node+0xac/0x2c0
	[17659.125309]      __alloc_skb+0x6c/0x260
	[17659.128837]      tcp_send_ack+0x8c/0x280
	[17659.132449]      __tcp_ack_snd_check+0x9c/0xf0
	[17659.136587]      tcp_rcv_established+0x5a4/0xa70
	[17659.140899]      tcp_v4_do_rcv+0x27c/0x620
	[17659.144687]      tcp_prequeue_process+0x108/0x170
	[17659.149085]      tcp_recvmsg+0x940/0x1020
	[17659.152787]      inet_recvmsg+0x124/0x180
	[17659.156488]      sock_recvmsg+0x64/0x80
	[17659.160012]      SyS_recvfrom+0xd8/0x180
	[17659.163626]      __sys_trace_return+0x0/0x4
	[17659.167506] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=23 cpu=1 pid=13
	[17659.174000]      free_debug_processing+0x1d4/0x2c0
	[17659.178486]      __slab_free+0x240/0x390
	[17659.182100]      kmem_cache_free+0x24c/0x270
	[17659.186062]      kfree_skbmem+0xa0/0xb0
	[17659.189587]      __kfree_skb+0x28/0x40
	[17659.193025]      napi_gro_receive+0x168/0x1c0
	[17659.197074]      hns_nic_rx_up_pro+0x58/0x90
	[17659.201038]      hns_nic_rx_poll_one+0x518/0xbc0
	[17659.205352]      hns_nic_common_poll+0x94/0x140
	[17659.209576]      net_rx_action+0x458/0x5e0
	[17659.213363]      __do_softirq+0x1b8/0x480
	[17659.217062]      run_ksoftirqd+0x64/0x80
	[17659.220679]      smpboot_thread_fn+0x224/0x310
	[17659.224821]      kthread+0x150/0x170
	[17659.228084]      ret_from_fork+0x10/0x40

	BUG: KASAN: use-after-free in hns_nic_net_xmit+0x8c/0xc0...
	[17751.080490]      __slab_alloc+0x52c/0x560
	[17751.084188]      kmem_cache_alloc+0x244/0x280
	[17751.088238]      __build_skb+0x40/0x150
	[17751.091764]      build_skb+0x28/0x100
	[17751.095115]      __alloc_rx_skb+0x94/0x150
	[17751.098900]      __napi_alloc_skb+0x34/0x90
	[17751.102776]      hns_nic_rx_poll_one+0x180/0xbc0
	[17751.107097]      hns_nic_common_poll+0x94/0x140
	[17751.111333]      net_rx_action+0x458/0x5e0
	[17751.115123]      __do_softirq+0x1b8/0x480
	[17751.118823]      run_ksoftirqd+0x64/0x80
	[17751.122437]      smpboot_thread_fn+0x224/0x310
	[17751.126575]      kthread+0x150/0x170
	[17751.129838]      ret_from_fork+0x10/0x40
	[17751.133454] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=19 cpu=7 pid=43
	[17751.139951]      free_debug_processing+0x1d4/0x2c0
	[17751.144436]      __slab_free+0x240/0x390
	[17751.148051]      kmem_cache_free+0x24c/0x270
	[17751.152014]      kfree_skbmem+0xa0/0xb0
	[17751.155543]      __kfree_skb+0x28/0x40
	[17751.159022]      napi_gro_receive+0x168/0x1c0
	[17751.163074]      hns_nic_rx_up_pro+0x58/0x90
	[17751.167041]      hns_nic_rx_poll_one+0x518/0xbc0
	[17751.171358]      hns_nic_common_poll+0x94/0x140
	[17751.175585]      net_rx_action+0x458/0x5e0
	[17751.179373]      __do_softirq+0x1b8/0x480
	[17751.183076]      run_ksoftirqd+0x64/0x80
	[17751.186691]      smpboot_thread_fn+0x224/0x310
	[17751.190826]      kthread+0x150/0x170
	[17751.194093]      ret_from_fork+0x10/0x40

Fixes: 13ac695e7e ("net:hns: Add support of Hip06 SoC to the Hislicon Network Subsystem")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: lipeng <lipeng321@huawei.com>
Reported-by: Jun He <hjat2005@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-08 11:05:21 +01:00
..
accessibility
acpi arm64 updates for 4.13: 2017-07-05 17:09:27 -07:00
amba
android
ata Power management updates for v4.13-rc1 2017-07-04 13:39:41 -07:00
atm net: convert sock.sk_wmem_alloc from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
auxdisplay
base ARM: SoC driver updates 2017-07-04 14:47:47 -07:00
bcma
block Merge branch 'work.read_write' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-07-05 14:35:57 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
bus ARM: SoC driver updates 2017-07-04 14:47:47 -07:00
cdrom block: don't set bounce limit in blk_init_queue 2017-06-27 12:13:45 -06:00
char arm64 updates for 4.13: 2017-07-05 17:09:27 -07:00
clk ARM: Device-tree updates 2017-07-04 14:37:25 -07:00
clocksource ARM: SoC driver updates 2017-07-04 14:47:47 -07:00
connector
cpufreq ARM: SoC driver updates 2017-07-04 14:47:47 -07:00
cpuidle Power management updates for v4.13-rc1 2017-07-04 13:39:41 -07:00
crypto Cavium CNN55XX: fix broken default Kconfig entry 2017-07-05 13:03:05 -07:00
dax
dca
devfreq
dio
dma dmaengine: omap-dma: port_window support correction for both direction 2017-06-20 11:45:01 +08:00
dma-buf
edac EDAC, pnd2: Fix Apollo Lake DIMM detection 2017-06-29 10:37:50 +02:00
eisa
extcon
firewire networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
firmware arm64 updates for 4.13: 2017-07-05 17:09:27 -07:00
fmc
fpga
fsi
gpio driver core patches for 4.13-rc1 2017-07-03 20:27:48 -07:00
gpu Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-07-03 13:08:04 -07:00
hid driver core patches for 4.13-rc1 2017-07-03 20:27:48 -07:00
hsi HSI changes for the v4.13 series 2017-07-04 14:28:22 -07:00
hv
hwmon hwmon: (aspeed-pwm-tacho) Poll with short sleeps. 2017-06-24 08:58:06 -07:00
hwspinlock
hwtracing Char/Misc patches for 4.13-rc1 2017-07-03 20:55:59 -07:00
i2c Char/Misc patches for 4.13-rc1 2017-07-03 20:55:59 -07:00
ide block: Change argument type of scsi_req_init() 2017-06-20 19:27:14 -06:00
idle intel_idle: Use more common logging style 2017-06-29 22:58:35 +02:00
iio hwmon updates for v4.13: 2017-07-04 11:48:27 -07:00
infiniband Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
input Input: synaptics-rmi4 - only read the F54 query registers which are used 2017-06-23 00:08:48 -07:00
iommu Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-07-03 16:50:31 -07:00
ipack
irqchip arm64 updates for 4.13: 2017-07-05 17:09:27 -07:00
isdn Merge branch 'work.misc-set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-07-05 13:13:32 -07:00
leds LED fixes for 4.12-rc6 2017-06-18 08:51:35 +09:00
lguest
lightnvm lightnvm: pblk: set line bitmap check under debug 2017-06-30 11:08:18 -06:00
macintosh Merge branch 'work.misc-set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-07-05 13:13:32 -07:00
mailbox
mcb
md Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-07-03 13:08:04 -07:00
media networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
memory ARM: SoC driver updates 2017-07-04 14:47:47 -07:00
memstick
message
mfd Merge remote-tracking branches 'regulator/topic/settle', 'regulator/topic/tps65910' and 'regulator/topic/tps65917' into regulator-next 2017-07-03 16:52:21 +01:00
misc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
mmc MMC core: 2017-07-04 11:11:56 -07:00
mtd There has been a fair amount of activity in the docs tree this time 2017-07-03 21:13:25 -07:00
mux
net net: hns: Fix a skb used after free bug 2017-07-08 11:05:21 +01:00
nfc NFC 4.13 pull request 2017-07-01 14:30:39 -07:00
ntb ntb: no sleep in ntb_async_tx_submit 2017-06-19 14:24:41 -04:00
nubus
nvdimm block: don't bother with bounce limits for make_request drivers 2017-06-27 12:13:45 -06:00
nvme Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-07-03 16:50:31 -07:00
nvmem
of Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-15 11:59:32 -04:00
oprofile
parisc parisc: ->mapping_error 2017-07-05 21:46:42 +02:00
parport
pci Power management updates for v4.13-rc1 2017-07-04 13:39:41 -07:00
pcmcia
perf Merge branch 'aarch64/for-next/ras-apei' into aarch64/for-next/core 2017-06-26 10:54:27 +01:00
phy phy: bcm-ns-usb3: add MDIO driver using proper bus layer 2017-06-16 13:22:26 +05:30
pinctrl Revert "pinctrl: rockchip: avoid hardirq-unsafe functions in irq_chip" 2017-06-29 15:03:24 +02:00
platform Power management updates for v4.13-rc1 2017-07-04 13:39:41 -07:00
pnp ACPI / PM: Consolidate device wakeup settings code 2017-06-28 01:52:32 +02:00
power power supply and reset changes for the v4.13 series 2017-07-04 14:25:14 -07:00
powercap powercap/RAPL: prevent overridding bits outside of the mask 2017-06-28 00:38:34 +02:00
pps
ps3
ptp ptp: dte: Use LL suffix for 64-bit constants 2017-07-06 11:40:58 +01:00
pwm
rapidio
ras arm64 updates for 4.13: 2017-07-05 17:09:27 -07:00
regulator Merge remote-tracking branches 'regulator/topic/settle', 'regulator/topic/tps65910' and 'regulator/topic/tps65917' into regulator-next 2017-07-03 16:52:21 +01:00
remoteproc
reset ARM: SoC driver updates 2017-07-04 14:47:47 -07:00
rpmsg Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
rtc sched/wait: Disambiguate wq_entry->task_list and wq_head->task_list naming 2017-06-20 12:19:14 +02:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
sbus block: don't set bounce limit in blk_init_queue 2017-06-27 12:13:45 -06:00
scsi Merge branch 'work.misc-set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-07-05 13:13:32 -07:00
sfi
sh
sn
soc ARM: SoC driver updates 2017-07-04 14:47:47 -07:00
spi Merge remote-tracking branches 'spi/topic/spidev', 'spi/topic/st-ssc4' and 'spi/topic/stm32' into spi-next 2017-07-03 16:21:12 +01:00
spmi
ssb
staging Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
target Merge branch 'work.read_write' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-07-05 14:35:57 -07:00
tc
tee
thermal USB/PHY patches for 4.13-rc1 2017-07-03 19:30:55 -07:00
thunderbolt
tty Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
uio
usb Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
uwb driver core patches for 4.13-rc1 2017-07-03 20:27:48 -07:00
vfio sched/wait: Rename wait_queue_t => wait_queue_entry_t 2017-06-20 12:18:27 +02:00
vhost Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
video video: fbdev: udlfb: drop log level for blanking 2017-06-14 12:40:36 +02:00
virt
virtio virtio_balloon: disable VIOMMU support 2017-06-18 23:13:35 +03:00
vlynq
vme
w1
watchdog
xen Merge branch 'ras-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-07-03 18:33:03 -07:00
zorro
Kconfig
Makefile