• Feng Sun's avatar
    net: fix skb use after free in netpoll · 2c1644cf
    Feng Sun authored
    After commit baeababb
    ("tun: return NET_XMIT_DROP for dropped packets"),
    when tun_net_xmit drop packets, it will free skb and return NET_XMIT_DROP,
    netpoll_send_skb_on_dev will run into following use after free cases:
    1. retry netpoll_start_xmit with freed skb;
    2. queue freed skb in npinfo->txq.
    queue_process will also run into use after free case.
    
    hit netpoll_send_skb_on_dev first case with following kernel log:
    
    [  117.864773] kernel BUG at mm/slub.c:306!
    [  117.864773] invalid opcode: 0000 [#1] SMP PTI
    [  117.864774] CPU: 3 PID: 2627 Comm: loop_printmsg Kdump: loaded Tainted: P           OE     5.3.0-050300rc5-generic #201908182231
    [  117.864775] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
    [  117.864775] RIP: 0010:kmem_cache_free+0x28d/0x2b0
    [  117.864781] Call Trace:
    [  117.864781]  ? tun_net_xmit+0x21c/0x460
    [  117.864781]  kfree_skbmem+0x4e/0x60
    [  117.864782]  kfree_skb+0x3a/0xa0
    [  117.864782]  tun_net_xmit+0x21c/0x460
    [  117.864782]  netpoll_start_xmit+0x11d/0x1b0
    [  117.864788]  netpoll_send_skb_on_dev+0x1b8/0x200
    [  117.864789]  __br_forward+0x1b9/0x1e0 [bridge]
    [  117.864789]  ? skb_clone+0x53/0xd0
    [  117.864790]  ? __skb_clone+0x2e/0x120
    [  117.864790]  deliver_clone+0x37/0x50 [bridge]
    [  117.864790]  maybe_deliver+0x89/0xc0 [bridge]
    [  117.864791]  br_flood+0x6c/0x130 [bridge]
    [  117.864791]  br_dev_xmit+0x315/0x3c0 [bridge]
    [  117.864792]  netpoll_start_xmit+0x11d/0x1b0
    [  117.864792]  netpoll_send_skb_on_dev+0x1b8/0x200
    [  117.864792]  netpoll_send_udp+0x2c6/0x3e8
    [  117.864793]  write_msg+0xd9/0xf0 [netconsole]
    [  117.864793]  console_unlock+0x386/0x4e0
    [  117.864793]  vprintk_emit+0x17e/0x280
    [  117.864794]  vprintk_default+0x29/0x50
    [  117.864794]  vprintk_func+0x4c/0xbc
    [  117.864794]  printk+0x58/0x6f
    [  117.864795]  loop_fun+0x24/0x41 [printmsg_loop]
    [  117.864795]  kthread+0x104/0x140
    [  117.864795]  ? 0xffffffffc05b1000
    [  117.864796]  ? kthread_park+0x80/0x80
    [  117.864796]  ret_from_fork+0x35/0x40
    Signed-off-by: default avatarFeng Sun <loyou85@gmail.com>
    Signed-off-by: default avatarXiaojun Zhao <xiaojunzhao141@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    2c1644cf
netpoll.c 18.8 KB