leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
27463ad99f
linux/drivers/net/ethernet
History
Yunsheng Lin 27463ad99f net: hns: Fix a skb used after free bug 
skb maybe freed in hns_nic_net_xmit_hw() and return NETDEV_TX_OK,
which cause hns_nic_net_xmit to use a freed skb.

BUG: KASAN: use-after-free in hns_nic_net_xmit_hw+0x62c/0x940...
	[17659.112635]      alloc_debug_processing+0x18c/0x1a0
	[17659.117208]      __slab_alloc+0x52c/0x560
	[17659.120909]      kmem_cache_alloc_node+0xac/0x2c0
	[17659.125309]      __alloc_skb+0x6c/0x260
	[17659.128837]      tcp_send_ack+0x8c/0x280
	[17659.132449]      __tcp_ack_snd_check+0x9c/0xf0
	[17659.136587]      tcp_rcv_established+0x5a4/0xa70
	[17659.140899]      tcp_v4_do_rcv+0x27c/0x620
	[17659.144687]      tcp_prequeue_process+0x108/0x170
	[17659.149085]      tcp_recvmsg+0x940/0x1020
	[17659.152787]      inet_recvmsg+0x124/0x180
	[17659.156488]      sock_recvmsg+0x64/0x80
	[17659.160012]      SyS_recvfrom+0xd8/0x180
	[17659.163626]      __sys_trace_return+0x0/0x4
	[17659.167506] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=23 cpu=1 pid=13
	[17659.174000]      free_debug_processing+0x1d4/0x2c0
	[17659.178486]      __slab_free+0x240/0x390
	[17659.182100]      kmem_cache_free+0x24c/0x270
	[17659.186062]      kfree_skbmem+0xa0/0xb0
	[17659.189587]      __kfree_skb+0x28/0x40
	[17659.193025]      napi_gro_receive+0x168/0x1c0
	[17659.197074]      hns_nic_rx_up_pro+0x58/0x90
	[17659.201038]      hns_nic_rx_poll_one+0x518/0xbc0
	[17659.205352]      hns_nic_common_poll+0x94/0x140
	[17659.209576]      net_rx_action+0x458/0x5e0
	[17659.213363]      __do_softirq+0x1b8/0x480
	[17659.217062]      run_ksoftirqd+0x64/0x80
	[17659.220679]      smpboot_thread_fn+0x224/0x310
	[17659.224821]      kthread+0x150/0x170
	[17659.228084]      ret_from_fork+0x10/0x40

	BUG: KASAN: use-after-free in hns_nic_net_xmit+0x8c/0xc0...
	[17751.080490]      __slab_alloc+0x52c/0x560
	[17751.084188]      kmem_cache_alloc+0x244/0x280
	[17751.088238]      __build_skb+0x40/0x150
	[17751.091764]      build_skb+0x28/0x100
	[17751.095115]      __alloc_rx_skb+0x94/0x150
	[17751.098900]      __napi_alloc_skb+0x34/0x90
	[17751.102776]      hns_nic_rx_poll_one+0x180/0xbc0
	[17751.107097]      hns_nic_common_poll+0x94/0x140
	[17751.111333]      net_rx_action+0x458/0x5e0
	[17751.115123]      __do_softirq+0x1b8/0x480
	[17751.118823]      run_ksoftirqd+0x64/0x80
	[17751.122437]      smpboot_thread_fn+0x224/0x310
	[17751.126575]      kthread+0x150/0x170
	[17751.129838]      ret_from_fork+0x10/0x40
	[17751.133454] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=19 cpu=7 pid=43
	[17751.139951]      free_debug_processing+0x1d4/0x2c0
	[17751.144436]      __slab_free+0x240/0x390
	[17751.148051]      kmem_cache_free+0x24c/0x270
	[17751.152014]      kfree_skbmem+0xa0/0xb0
	[17751.155543]      __kfree_skb+0x28/0x40
	[17751.159022]      napi_gro_receive+0x168/0x1c0
	[17751.163074]      hns_nic_rx_up_pro+0x58/0x90
	[17751.167041]      hns_nic_rx_poll_one+0x518/0xbc0
	[17751.171358]      hns_nic_common_poll+0x94/0x140
	[17751.175585]      net_rx_action+0x458/0x5e0
	[17751.179373]      __do_softirq+0x1b8/0x480
	[17751.183076]      run_ksoftirqd+0x64/0x80
	[17751.186691]      smpboot_thread_fn+0x224/0x310
	[17751.190826]      kthread+0x150/0x170
	[17751.194093]      ret_from_fork+0x10/0x40

Fixes: 13ac695e7e ("net:hns: Add support of Hip06 SoC to the Hislicon Network Subsystem")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: lipeng <lipeng321@huawei.com>
Reported-by: Jun He <hjat2005@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-08 11:05:21 +01:00
..
3com networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
8390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-05-26 20:46:35 -04:00
adaptec
adi
aeroflex networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
agere networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
alacritech
allwinner networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
alteon
altera
amazon net: ena: update ena driver to version 1.2.0 2017-06-23 14:15:11 -04:00
amd amd-xgbe: fix spelling mistake: "avialable" -> "available" 2017-06-29 15:35:50 -04:00
apm net: phy: Make phy_ethtool_ksettings_get return void 2017-06-13 12:59:06 -04:00
apple networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
aquantia Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-15 11:59:32 -04:00
arc
atheros net: atl1c: fix spelling mistake: "droppted" -> "dropped" 2017-06-29 12:24:26 -04:00
aurora networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
broadcom Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-30 12:43:08 -04:00
brocade bna: ethtool: Avoid reading past end of buffer 2017-05-08 14:41:42 -04:00
cadence net: macb: Adding Support for Jumbo Frames up to 10240 Bytes in SAMA5D3 2017-07-08 10:39:46 +01:00
calxeda
cavium liquidio: fix bug in soft reset failure detection 2017-07-06 10:36:03 +01:00
chelsio Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
cirrus networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
cisco enic: Fix format truncation warning 2017-06-20 15:24:53 -04:00
davicom networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
dec networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
dlink
emulex Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-05-26 20:46:35 -04:00
ezchip
faraday net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
freescale Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-30 12:43:08 -04:00
fujitsu
hisilicon net: hns: Fix a skb used after free bug 2017-07-08 11:05:21 +01:00
hp networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
i825xx networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
ibm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
intel i40e: don't hold RTNL lock for the entire reset 2017-06-20 18:17:12 -07:00
marvell net: mvpp2: remove mvpp2_pool_refill() 2017-06-22 13:42:56 -04:00
mediatek net: ethernet: mediatek: fixed deadlock captured by lockdep 2017-07-04 01:43:38 -07:00
mellanox Merge https://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-07-03 03:42:10 -07:00
micrel networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
microchip
moxa
myricom
natsemi format-security: move static strings to const 2017-05-08 17:15:14 -07:00
neterion net: s2io: remove useless variable in fill_rx_buffers 2017-06-15 14:15:13 -04:00
netronome nfp: flower: add missing clean up call to avoid memory leaks 2017-07-07 09:17:42 +01:00
nuvoton net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
nvidia forcedeth: remove unnecessary carrier status check 2017-05-04 10:57:41 -04:00
nxp net: manual clean code which call skb_put_[data:zero] 2017-06-20 13:30:15 -04:00
oki-semi net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
packetengines net: manual clean code which call skb_put_[data:zero] 2017-06-20 13:30:15 -04:00
pasemi
qlogic qed: initialize ll2_syn_handle at start of function 2017-07-03 14:23:53 -07:00
qualcomm net: qcom/emac: add support for emulation systems 2017-06-25 11:44:29 -04:00
rdc
realtek net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
renesas net: phy: Make phy_ethtool_ksettings_get return void 2017-06-13 12:59:06 -04:00
rocker Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-30 12:43:08 -04:00
samsung net: ethernet: update drivers to make both SW and HW TX timestamps 2017-05-21 13:37:32 -04:00
seeq
sfc sfc: correct comment on efx_mcdi_process_event 2017-07-01 15:24:06 -07:00
sgi net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
silan networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
sis net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
smsc net: smc91x: constify dev_pm_ops structures. 2017-06-29 15:48:50 -04:00
stmicro net: stmmac: Add additional registers for dwmac1000_dma ethtool 2017-06-29 12:49:54 -04:00
sun networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
synopsys
tehuti
ti Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-30 12:43:08 -04:00
tile net: ethernet: update drivers to handle HWTSTAMP_FILTER_NTP_ALL 2017-05-21 13:37:32 -04:00
toshiba networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
tundra net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
via net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
wiznet
xilinx
xircom
xscale
dnet.c networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
dnet.h
ec_bhf.c networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
ethoc.c net: ethoc: enable NAPI before poll may be scheduled 2017-06-06 16:22:51 -04:00
fealnx.c networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
jme.c net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
jme.h
Kconfig
korina.c net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
lantiq_etop.c
Makefile
netx-eth.c