iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/drivers
History
Yunsheng Lin 27463ad99f net: hns: Fix a skb used after free bug 
skb maybe freed in hns_nic_net_xmit_hw() and return NETDEV_TX_OK,
which cause hns_nic_net_xmit to use a freed skb.

BUG: KASAN: use-after-free in hns_nic_net_xmit_hw+0x62c/0x940...
	[17659.112635]      alloc_debug_processing+0x18c/0x1a0
	[17659.117208]      __slab_alloc+0x52c/0x560
	[17659.120909]      kmem_cache_alloc_node+0xac/0x2c0
	[17659.125309]      __alloc_skb+0x6c/0x260
	[17659.128837]      tcp_send_ack+0x8c/0x280
	[17659.132449]      __tcp_ack_snd_check+0x9c/0xf0
	[17659.136587]      tcp_rcv_established+0x5a4/0xa70
	[17659.140899]      tcp_v4_do_rcv+0x27c/0x620
	[17659.144687]      tcp_prequeue_process+0x108/0x170
	[17659.149085]      tcp_recvmsg+0x940/0x1020
	[17659.152787]      inet_recvmsg+0x124/0x180
	[17659.156488]      sock_recvmsg+0x64/0x80
	[17659.160012]      SyS_recvfrom+0xd8/0x180
	[17659.163626]      __sys_trace_return+0x0/0x4
	[17659.167506] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=23 cpu=1 pid=13
	[17659.174000]      free_debug_processing+0x1d4/0x2c0
	[17659.178486]      __slab_free+0x240/0x390
	[17659.182100]      kmem_cache_free+0x24c/0x270
	[17659.186062]      kfree_skbmem+0xa0/0xb0
	[17659.189587]      __kfree_skb+0x28/0x40
	[17659.193025]      napi_gro_receive+0x168/0x1c0
	[17659.197074]      hns_nic_rx_up_pro+0x58/0x90
	[17659.201038]      hns_nic_rx_poll_one+0x518/0xbc0
	[17659.205352]      hns_nic_common_poll+0x94/0x140
	[17659.209576]      net_rx_action+0x458/0x5e0
	[17659.213363]      __do_softirq+0x1b8/0x480
	[17659.217062]      run_ksoftirqd+0x64/0x80
	[17659.220679]      smpboot_thread_fn+0x224/0x310
	[17659.224821]      kthread+0x150/0x170
	[17659.228084]      ret_from_fork+0x10/0x40

	BUG: KASAN: use-after-free in hns_nic_net_xmit+0x8c/0xc0...
	[17751.080490]      __slab_alloc+0x52c/0x560
	[17751.084188]      kmem_cache_alloc+0x244/0x280
	[17751.088238]      __build_skb+0x40/0x150
	[17751.091764]      build_skb+0x28/0x100
	[17751.095115]      __alloc_rx_skb+0x94/0x150
	[17751.098900]      __napi_alloc_skb+0x34/0x90
	[17751.102776]      hns_nic_rx_poll_one+0x180/0xbc0
	[17751.107097]      hns_nic_common_poll+0x94/0x140
	[17751.111333]      net_rx_action+0x458/0x5e0
	[17751.115123]      __do_softirq+0x1b8/0x480
	[17751.118823]      run_ksoftirqd+0x64/0x80
	[17751.122437]      smpboot_thread_fn+0x224/0x310
	[17751.126575]      kthread+0x150/0x170
	[17751.129838]      ret_from_fork+0x10/0x40
	[17751.133454] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=19 cpu=7 pid=43
	[17751.139951]      free_debug_processing+0x1d4/0x2c0
	[17751.144436]      __slab_free+0x240/0x390
	[17751.148051]      kmem_cache_free+0x24c/0x270
	[17751.152014]      kfree_skbmem+0xa0/0xb0
	[17751.155543]      __kfree_skb+0x28/0x40
	[17751.159022]      napi_gro_receive+0x168/0x1c0
	[17751.163074]      hns_nic_rx_up_pro+0x58/0x90
	[17751.167041]      hns_nic_rx_poll_one+0x518/0xbc0
	[17751.171358]      hns_nic_common_poll+0x94/0x140
	[17751.175585]      net_rx_action+0x458/0x5e0
	[17751.179373]      __do_softirq+0x1b8/0x480
	[17751.183076]      run_ksoftirqd+0x64/0x80
	[17751.186691]      smpboot_thread_fn+0x224/0x310
	[17751.190826]      kthread+0x150/0x170
	[17751.194093]      ret_from_fork+0x10/0x40

Fixes: 13ac695e7ea1 ("net:hns: Add support of Hip06 SoC to the Hislicon Network Subsystem")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: lipeng <lipeng321@huawei.com>
Reported-by: Jun He <hjat2005@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-08 11:05:21 +01:00
..
accessibility
acpi
arm64 updates for 4.13:
2017-07-05 17:09:27 -07:00
amba
android
ata
Power management updates for v4.13-rc1
2017-07-04 13:39:41 -07:00
atm
net: convert sock.sk_wmem_alloc from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
auxdisplay
base
ARM: SoC driver updates
2017-07-04 14:47:47 -07:00
bcma
block
Merge branch 'work.read_write' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-05 14:35:57 -07:00
bluetooth
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-07-05 12:31:59 -07:00
bus
ARM: SoC driver updates
2017-07-04 14:47:47 -07:00
cdrom
block: don't set bounce limit in blk_init_queue
2017-06-27 12:13:45 -06:00
char
arm64 updates for 4.13:
2017-07-05 17:09:27 -07:00
clk
ARM: Device-tree updates
2017-07-04 14:37:25 -07:00
clocksource
ARM: SoC driver updates
2017-07-04 14:47:47 -07:00
connector
cpufreq
ARM: SoC driver updates
2017-07-04 14:47:47 -07:00
cpuidle
Power management updates for v4.13-rc1
2017-07-04 13:39:41 -07:00
crypto
Cavium CNN55XX: fix broken default Kconfig entry
2017-07-05 13:03:05 -07:00
dax
dca
devfreq
dio
dma
dmaengine: omap-dma: port_window support correction for both direction
2017-06-20 11:45:01 +08:00
dma-buf
edac
EDAC, pnd2: Fix Apollo Lake DIMM detection
2017-06-29 10:37:50 +02:00
eisa
extcon
firewire
networking: make skb_push & __skb_push return void pointers
2017-06-16 11:48:40 -04:00
firmware
arm64 updates for 4.13:
2017-07-05 17:09:27 -07:00
fmc
fpga
fsi
gpio
driver core patches for 4.13-rc1
2017-07-03 20:27:48 -07:00
gpu
Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-07-03 13:08:04 -07:00
hid
driver core patches for 4.13-rc1
2017-07-03 20:27:48 -07:00
hsi
HSI changes for the v4.13 series
2017-07-04 14:28:22 -07:00
hv
hwmon
hwmon: (aspeed-pwm-tacho) Poll with short sleeps.
2017-06-24 08:58:06 -07:00
hwspinlock
hwtracing
Char/Misc patches for 4.13-rc1
2017-07-03 20:55:59 -07:00
i2c
Char/Misc patches for 4.13-rc1
2017-07-03 20:55:59 -07:00
ide
block: Change argument type of scsi_req_init()
2017-06-20 19:27:14 -06:00
idle
intel_idle: Use more common logging style
2017-06-29 22:58:35 +02:00
iio
hwmon updates for v4.13:
2017-07-04 11:48:27 -07:00
infiniband
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-07-05 12:31:59 -07:00
input
Input: synaptics-rmi4 - only read the F54 query registers which are used
2017-06-23 00:08:48 -07:00
iommu
Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-07-03 16:50:31 -07:00
ipack
irqchip
arm64 updates for 4.13:
2017-07-05 17:09:27 -07:00
isdn
Merge branch 'work.misc-set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-05 13:13:32 -07:00
leds
LED fixes for 4.12-rc6
2017-06-18 08:51:35 +09:00
lguest
lightnvm
lightnvm: pblk: set line bitmap check under debug
2017-06-30 11:08:18 -06:00
macintosh
Merge branch 'work.misc-set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-05 13:13:32 -07:00
mailbox
mcb
md
Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-07-03 13:08:04 -07:00
media
networking: make skb_put & friends return void pointers
2017-06-16 11:48:39 -04:00
memory
ARM: SoC driver updates
2017-07-04 14:47:47 -07:00
memstick
message
mfd
Merge remote-tracking branches 'regulator/topic/settle', 'regulator/topic/tps65910' and 'regulator/topic/tps65917' into regulator-next
2017-07-03 16:52:21 +01:00
misc
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-07-05 12:31:59 -07:00
mmc
MMC core:
2017-07-04 11:11:56 -07:00
mtd
There has been a fair amount of activity in the docs tree this time
2017-07-03 21:13:25 -07:00
mux
net
net: hns: Fix a skb used after free bug
2017-07-08 11:05:21 +01:00
nfc
NFC 4.13 pull request
2017-07-01 14:30:39 -07:00
ntb
ntb: no sleep in ntb_async_tx_submit
2017-06-19 14:24:41 -04:00
nubus
nvdimm
block: don't bother with bounce limits for make_request drivers
2017-06-27 12:13:45 -06:00
nvme
Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-07-03 16:50:31 -07:00
nvmem
of
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-06-15 11:59:32 -04:00
oprofile
parisc
parisc: ->mapping_error
2017-07-05 21:46:42 +02:00
parport
pci
Power management updates for v4.13-rc1
2017-07-04 13:39:41 -07:00
pcmcia
perf
Merge branch 'aarch64/for-next/ras-apei' into aarch64/for-next/core
2017-06-26 10:54:27 +01:00
phy
phy: bcm-ns-usb3: add MDIO driver using proper bus layer
2017-06-16 13:22:26 +05:30
pinctrl
Revert "pinctrl: rockchip: avoid hardirq-unsafe functions in irq_chip"
2017-06-29 15:03:24 +02:00
platform
Power management updates for v4.13-rc1
2017-07-04 13:39:41 -07:00
pnp
ACPI / PM: Consolidate device wakeup settings code
2017-06-28 01:52:32 +02:00
power
power supply and reset changes for the v4.13 series
2017-07-04 14:25:14 -07:00
powercap
powercap/RAPL: prevent overridding bits outside of the mask
2017-06-28 00:38:34 +02:00
pps
ps3
ptp
ptp: dte: Use LL suffix for 64-bit constants
2017-07-06 11:40:58 +01:00
pwm
rapidio
ras
arm64 updates for 4.13:
2017-07-05 17:09:27 -07:00
regulator
Merge remote-tracking branches 'regulator/topic/settle', 'regulator/topic/tps65910' and 'regulator/topic/tps65917' into regulator-next
2017-07-03 16:52:21 +01:00
remoteproc
reset
ARM: SoC driver updates
2017-07-04 14:47:47 -07:00
rpmsg
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-07-05 12:31:59 -07:00
rtc
sched/wait: Disambiguate wq_entry->task_list and wq_head->task_list naming
2017-06-20 12:19:14 +02:00
s390
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-07-05 12:31:59 -07:00
sbus
block: don't set bounce limit in blk_init_queue
2017-06-27 12:13:45 -06:00
scsi
Merge branch 'work.misc-set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-05 13:13:32 -07:00
sfi
sh
sn
soc
ARM: SoC driver updates
2017-07-04 14:47:47 -07:00
spi
Merge remote-tracking branches 'spi/topic/spidev', 'spi/topic/st-ssc4' and 'spi/topic/stm32' into spi-next
2017-07-03 16:21:12 +01:00
spmi
ssb
staging
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-07-05 12:31:59 -07:00
target
Merge branch 'work.read_write' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-05 14:35:57 -07:00
tc
tee
thermal
USB/PHY patches for 4.13-rc1
2017-07-03 19:30:55 -07:00
thunderbolt
tty
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-07-05 12:31:59 -07:00
uio
usb
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-07-05 12:31:59 -07:00
uwb
driver core patches for 4.13-rc1
2017-07-03 20:27:48 -07:00
vfio
sched/wait: Rename wait_queue_t => wait_queue_entry_t
2017-06-20 12:18:27 +02:00
vhost
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-07-05 12:31:59 -07:00
video
video: fbdev: udlfb: drop log level for blanking
2017-06-14 12:40:36 +02:00
virt
virtio
virtio_balloon: disable VIOMMU support
2017-06-18 23:13:35 +03:00
vlynq
vme
w1
watchdog
xen
Merge branch 'ras-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-07-03 18:33:03 -07:00
zorro
Kconfig
Makefile