evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers
History
Bernd Eckstein f61ebb6bd7 usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 
[ Upstream commit 45611c61dd503454b2edae00aabe1e429ec49ebe ]

The bug is not easily reproducable, as it may occur very infrequently
(we had machines with 20minutes heavy downloading before it occurred)
However, on a virual machine (VMWare on Windows 10 host) it occurred
pretty frequently (1-2 seconds after a speedtest was started)

dev->tx_skb mab be freed via dev_kfree_skb_irq on a callback
before it is set.

This causes the following problems:
- double free of the skb or potential memory leak
- in dmesg: 'recvmsg bug' and 'recvmsg bug 2' and eventually
  general protection fault

Example dmesg output:
[  134.841986] ------------[ cut here ]------------
[  134.841987] recvmsg bug: copied 9C24A555 seq 9C24B557 rcvnxt 9C25A6B3 fl 0
[  134.841993] WARNING: CPU: 7 PID: 2629 at /build/linux-hwe-On9fm7/linux-hwe-4.15.0/net/ipv4/tcp.c:1865 tcp_recvmsg+0x44d/0xab0
[  134.841994] Modules linked in: ipheth(OE) kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd vmw_balloon intel_rapl_perf joydev input_leds serio_raw vmw_vsock_vmci_transport vsock shpchp i2c_piix4 mac_hid binfmt_misc vmw_vmci parport_pc ppdev lp parport autofs4 vmw_pvscsi vmxnet3 hid_generic usbhid hid vmwgfx ttm drm_kms_helper syscopyarea sysfillrect mptspi mptscsih sysimgblt ahci psmouse fb_sys_fops pata_acpi mptbase libahci e1000 drm scsi_transport_spi
[  134.842046] CPU: 7 PID: 2629 Comm: python Tainted: G        W  OE    4.15.0-34-generic #37~16.04.1-Ubuntu
[  134.842046] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
[  134.842048] RIP: 0010:tcp_recvmsg+0x44d/0xab0
[  134.842048] RSP: 0018:ffffa6630422bcc8 EFLAGS: 00010286
[  134.842049] RAX: 0000000000000000 RBX: ffff997616f4f200 RCX: 0000000000000006
[  134.842049] RDX: 0000000000000007 RSI: 0000000000000082 RDI: ffff9976257d6490
[  134.842050] RBP: ffffa6630422bd98 R08: 0000000000000001 R09: 000000000004bba4
[  134.842050] R10: 0000000001e00c6f R11: 000000000004bba4 R12: ffff99760dee3000
[  134.842051] R13: 0000000000000000 R14: ffff99760dee3514 R15: 0000000000000000
[  134.842051] FS:  00007fe332347700(0000) GS:ffff9976257c0000(0000) knlGS:0000000000000000
[  134.842052] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  134.842053] CR2: 0000000001e41000 CR3: 000000020e9b4006 CR4: 00000000003606e0
[  134.842055] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  134.842055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  134.842057] Call Trace:
[  134.842060]  ? aa_sk_perm+0x53/0x1a0
[  134.842064]  inet_recvmsg+0x51/0xc0
[  134.842066]  sock_recvmsg+0x43/0x50
[  134.842070]  SYSC_recvfrom+0xe4/0x160
[  134.842072]  ? __schedule+0x3de/0x8b0
[  134.842075]  ? ktime_get_ts64+0x4c/0xf0
[  134.842079]  SyS_recvfrom+0xe/0x10
[  134.842082]  do_syscall_64+0x73/0x130
[  134.842086]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  134.842086] RIP: 0033:0x7fe331f5a81d
[  134.842088] RSP: 002b:00007ffe8da98398 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[  134.842090] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00007fe331f5a81d
[  134.842094] RDX: 00000000000003fb RSI: 0000000001e00874 RDI: 0000000000000003
[  134.842095] RBP: 00007fe32f642c70 R08: 0000000000000000 R09: 0000000000000000
[  134.842097] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe332347698
[  134.842099] R13: 0000000001b7e0a0 R14: 0000000001e00874 R15: 0000000000000000
[  134.842103] Code: 24 fd ff ff e9 cc fe ff ff 48 89 d8 41 8b 8c 24 10 05 00 00 44 8b 45 80 48 c7 c7 08 bd 59 8b 48 89 85 68 ff ff ff e8 b3 c4 7d ff <0f> 0b 48 8b 85 68 ff ff ff e9 e9 fe ff ff 41 8b 8c 24 10 05 00
[  134.842126] ---[ end trace b7138fc08c83147f ]---
[  134.842144] general protection fault: 0000 [] SMP PTI
[  134.842145] Modules linked in: ipheth(OE) kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd vmw_balloon intel_rapl_perf joydev input_leds serio_raw vmw_vsock_vmci_transport vsock shpchp i2c_piix4 mac_hid binfmt_misc vmw_vmci parport_pc ppdev lp parport autofs4 vmw_pvscsi vmxnet3 hid_generic usbhid hid vmwgfx ttm drm_kms_helper syscopyarea sysfillrect mptspi mptscsih sysimgblt ahci psmouse fb_sys_fops pata_acpi mptbase libahci e1000 drm scsi_transport_spi
[  134.842161] CPU: 7 PID: 2629 Comm: python Tainted: G        W  OE    4.15.0-34-generic #37~16.04.1-Ubuntu
[  134.842162] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
[  134.842164] RIP: 0010:tcp_close+0x2c6/0x440
[  134.842165] RSP: 0018:ffffa6630422bde8 EFLAGS: 00010202
[  134.842167] RAX: 0000000000000000 RBX: ffff99760dee3000 RCX: 0000000180400034
[  134.842168] RDX: 5c4afd407207a6c4 RSI: ffffe868495bd300 RDI: ffff997616f4f200
[  134.842169] RBP: ffffa6630422be08 R08: 0000000016f4d401 R09: 0000000180400034
[  134.842169] R10: ffffa6630422bd98 R11: 0000000000000000 R12: 000000000000600c
[  134.842170] R13: 0000000000000000 R14: ffff99760dee30c8 R15: ffff9975bd44fe00
[  134.842171] FS:  00007fe332347700(0000) GS:ffff9976257c0000(0000) knlGS:0000000000000000
[  134.842173] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  134.842174] CR2: 0000000001e41000 CR3: 000000020e9b4006 CR4: 00000000003606e0
[  134.842177] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  134.842178] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  134.842179] Call Trace:
[  134.842181]  inet_release+0x42/0x70
[  134.842183]  __sock_release+0x42/0xb0
[  134.842184]  sock_close+0x15/0x20
[  134.842187]  __fput+0xea/0x220
[  134.842189]  ____fput+0xe/0x10
[  134.842191]  task_work_run+0x8a/0xb0
[  134.842193]  exit_to_usermode_loop+0xc4/0xd0
[  134.842195]  do_syscall_64+0xf4/0x130
[  134.842197]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  134.842197] RIP: 0033:0x7fe331f5a560
[  134.842198] RSP: 002b:00007ffe8da982e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[  134.842200] RAX: 0000000000000000 RBX: 00007fe32f642c70 RCX: 00007fe331f5a560
[  134.842201] RDX: 00000000008f5320 RSI: 0000000001cd4b50 RDI: 0000000000000003
[  134.842202] RBP: 00007fe32f6500f8 R08: 000000000000003c R09: 00000000009343c0
[  134.842203] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe32f6500d0
[  134.842204] R13: 00000000008f5320 R14: 00000000008f5320 R15: 0000000001cd4770
[  134.842205] Code: c8 00 00 00 45 31 e4 49 39 fe 75 4d eb 50 83 ab d8 00 00 00 01 48 8b 17 48 8b 47 08 48 c7 07 00 00 00 00 48 c7 47 08 00 00 00 00 <48> 89 42 08 48 89 10 0f b6 57 34 8b 47 2c 2b 47 28 83 e2 01 80
[  134.842226] RIP: tcp_close+0x2c6/0x440 RSP: ffffa6630422bde8
[  134.842227] ---[ end trace b7138fc08c831480 ]---

The proposed patch eliminates a potential racing condition.
Before, usb_submit_urb was called and _after_ that, the skb was attached
(dev->tx_skb). So, on a callback it was possible, however unlikely that the
skb was freed before it was set. That way (because dev->tx_skb was not set
to NULL after it was freed), it could happen that a skb from a earlier
transmission was freed a second time (and the skb we should have freed did
not get freed at all)

Now we free the skb directly in ipheth_tx(). It is not passed to the
callback anymore, eliminating the posibility of a double free of the same
skb. Depending on the retval of usb_submit_urb() we use dev_kfree_skb_any()
respectively dev_consume_skb_any() to free the skb.

Signed-off-by: Oliver Zweigle <Oliver.Zweigle@faro.com>
Signed-off-by: Bernd Eckstein <3ernd.Eckstein@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-12-13 09:21:26 +01:00
..
accessibility
acpi ACPI / platform: Add SMB0001 HID to forbidden_id_list 2018-11-27 16:08:02 +01:00
amba ARM: amba: Don't read past the end of sysfs "driver_override" buffer 2018-05-02 07:53:42 -07:00
android binder: add missing binder_unlock() 2018-02-28 10:17:23 +01:00
ata ahci: don't ignore result code of ahci_reset_controller() 2018-11-10 07:41:42 -08:00
atm atm: zatm: Fix potential Spectre v1 2018-07-22 14:25:52 +02:00
auxdisplay
base PM / core: Clear the direct_complete flag on errors 2018-10-13 09:11:32 +02:00
bcma
block zram: close udev startup race condition as default groups 2018-11-27 16:08:01 +01:00
bluetooth Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV" 2018-11-27 16:08:01 +01:00
bus bus: brcmstb_gisb: correct support for 64-bit address output 2018-04-13 19:50:05 +02:00
cdrom cdrom: fix improper type cast, which can leat to information leak. 2018-11-21 09:27:39 +01:00
char tpm: Restore functionality to xen vtpm driver. 2018-11-21 09:27:33 +01:00
clk clk: samsung: exynos5420: Enable PERIS clocks for suspend 2018-11-27 16:08:00 +01:00
clocksource clockevents/drivers/i8253: Add support for PIT shutdown quirk 2018-11-21 09:27:42 +01:00
connector
cpufreq cpufreq: imx6q: add return value check for voltage scale 2018-12-01 09:46:34 +01:00
cpuidle cpuidle: powernv: Fix promotion from snooze if next state disabled 2018-07-03 11:21:29 +02:00
crypto crypto: mxs-dcp - Fix wait logic on chan threads 2018-10-10 08:52:13 +02:00
dca
devfreq PM / devfreq: tegra: fix error return code in tegra_devfreq_probe() 2018-11-10 07:41:40 -08:00
dio
dma dmaengine: dma-jz4780: Return error if not probed from DT 2018-11-21 09:27:33 +01:00
dma-buf
edac EDAC, i7core: Fix memleaks and use-after-free on probe and remove 2018-10-10 08:52:06 +02:00
eisa
extcon extcon: palmas: Check the parent instance to prevent the NULL 2017-11-21 09:21:18 +01:00
firewire firewire-ohci: work around oversized DMA reads on JMicron controllers 2018-05-30 07:48:52 +02:00
firmware efi/libstub/arm64: Set -fpie when building the EFI stub 2018-11-27 16:07:58 +01:00
fmc
fpga
gpio gpio: msic: fix error return code in platform_msic_gpio_probe() 2018-11-10 07:41:39 -08:00
gpu drm/ast: Remove existing framebuffers before loading driver 2018-12-01 09:46:41 +01:00
hid HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges 2018-11-27 16:08:02 +01:00
hsi HSI: ssi_protocol: double free in ssip_pn_xmit() 2018-03-24 10:58:42 +01:00
hv HV: properly delay KVP packets when negotiation is in progress 2018-10-20 09:52:38 +02:00
hwmon hwmon: (ibmpowernv) Remove bogus __init annotations 2018-11-27 16:08:01 +01:00
hwspinlock
hwtracing coresight: tpiu: Fix disabling timeouts 2018-09-26 08:35:09 +02:00
i2c i2c: i2c-scmi: fix for i2c_smbus_write_block_data 2018-10-20 09:52:35 +02:00
ide cdrom: do not call check_disk_change() inside cdrom_open() 2018-05-30 07:49:13 +02:00
idle idle: i7300: add PCI dependency 2018-02-25 11:03:51 +01:00
iio iio: adc: at91: fix wrong channel number in triggered buffer mode 2018-11-21 09:27:35 +01:00
infiniband IB/ucm: Fix Spectre v1 vulnerability 2018-11-10 07:41:42 -08:00
input Input: xpad - add support for Xbox1 PDP Camo series gamepad 2018-12-01 09:46:39 +01:00
iommu iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register 2018-09-26 08:35:04 +02:00
ipack
irqchip irqchip/gic: Make interrupt ID 1020 invalid 2018-09-15 09:40:41 +02:00
isdn ser_gigaset: use container_of() instead of detour 2018-11-10 07:41:34 -08:00
leds leds: pca955x: Correct I2C Functionality 2018-04-13 19:50:09 +02:00
lguest
lightnvm
macintosh macintosh/via-pmu: Add missing mmio accessors 2018-09-19 22:48:57 +02:00
mailbox
mcb
md MD: fix invalid stored role for a disk - try2 2018-11-21 09:27:38 +01:00
media media: em28xx: Fix use-after-free when disconnecting 2018-12-13 09:21:26 +01:00
memory memory: tegra: Apply interrupts mask per SoC 2018-08-06 16:24:38 +02:00
memstick
message scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() 2018-05-30 07:48:58 +02:00
mfd thermal: allow u8500-thermal driver to be a module 2018-11-10 07:41:36 -08:00
misc drivers/misc/sgi-gru: fix Spectre v1 vulnerability 2018-11-27 16:08:02 +01:00
mmc mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 2018-11-21 09:27:31 +01:00
mtd mtd: docg3: don't set conflicting BCH_CONST_PARAMS option 2018-11-21 09:27:42 +01:00
net usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 2018-12-13 09:21:26 +01:00
nfc NFC: nfcmrvl_uart: fix OF child-node lookup 2018-12-01 09:46:35 +01:00
ntb ntb_transport: Fix bug with max_mw_size parameter 2018-05-30 07:48:55 +02:00
nubus
nvdimm libnvdimm: Hold reference on parent while scheduling async init 2018-11-21 09:27:34 +01:00
nvme nvme-pci: initialize queue memory before interrupts 2018-07-11 16:03:47 +02:00
nvmem
of of: add helper to lookup compatible child node 2018-12-01 09:46:35 +01:00
oprofile
parisc parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode 2018-05-30 07:49:10 +02:00
parport parport: sunbpp: fix error return code 2018-09-26 08:35:09 +02:00
pci PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk 2018-11-21 09:27:34 +01:00
pcmcia pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges 2018-11-21 09:27:30 +01:00
perf drivers/perf: arm_pmu: handle no platform_device 2018-03-22 09:23:26 +01:00
phy phy: work around 'phys' references to usb-nop-xceiv devices 2018-01-23 19:50:16 +01:00
pinctrl pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant 2018-11-21 09:27:32 +01:00
platform platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307 2018-11-27 16:08:00 +01:00
pnp
power power: vexpress: fix corruption in notifier registration 2018-10-10 08:52:04 +02:00
powercap PowerCap: Fix an error code in powercap_register_zone() 2018-04-13 19:50:05 +02:00
pps
ps3
ptp ptp: fix Spectre v1 vulnerability 2018-11-10 07:41:42 -08:00
pwm pwm: tiehrpwm: Fix disabling of output of PWMs 2018-09-09 20:04:35 +02:00
rapidio
ras
regulator regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops 2018-08-06 16:24:35 +02:00
remoteproc
reset
rpmsg
rtc rtc: hctosys: Add missing range error reporting 2018-11-21 09:27:44 +01:00
s390 s390/qeth: fix length check in SNMP processing 2018-12-13 09:21:26 +01:00
sbus
scsi scsi: qla2xxx: do not queue commands when unloading 2018-12-01 09:46:40 +01:00
sfi
sh
sn
soc soc/tegra: pmc: Fix child-node lookup 2018-11-21 09:27:37 +01:00
spi spi: xlp: fix error return code in xlp_spi_probe() 2018-11-10 07:41:40 -08:00
spmi
ssb ssb: mark ssb_bus_register as __maybe_unused 2018-02-25 11:03:44 +01:00
staging staging: android: ashmem: Fix mmap size validation 2018-10-10 08:52:06 +02:00
target scsi: target: iscsi: Use bin2hex instead of a re-implementation 2018-10-10 08:52:08 +02:00
tc TC: Set DMA masks for devices 2018-11-21 09:27:36 +01:00
thermal thermal: allow u8500-thermal driver to be a module 2018-11-10 07:41:36 -08:00
thunderbolt thunderbolt: Resume control channel after hibernation image is created 2018-04-24 09:32:07 +02:00
tty tty: wipe buffer if not echoing data 2018-12-01 09:46:41 +01:00
uio uio: Fix an Oops on load 2018-11-27 16:08:02 +01:00
usb usb: xhci: fix uninitialized completion when USB3 port got wrong status 2018-12-01 09:46:41 +01:00
uwb uwb: hwa-rc: fix memory leak at probe 2018-10-10 08:52:04 +02:00
vfio vfio/pci: Virtualize Maximum Read Request Size 2018-04-24 09:32:09 +02:00
vhost vhost/scsi: truncate T10 PI iov_iter to prot_bytes 2018-11-21 09:27:42 +01:00
video mach64: fix image corruption due to reading accelerator registers 2018-11-21 09:27:42 +01:00
virt
virtio virtio_balloon: fix another race between migration and ballooning 2018-08-06 16:24:42 +02:00
vlynq
vme
w1 w1: omap-hdq: fix missing bus unregister at removal 2018-11-21 09:27:35 +01:00
watchdog watchdog: f71808e_wdt: Fix magic close handling 2018-05-30 07:49:03 +02:00
xen xen-swiotlb: use actually allocated size on check physical continuous 2018-11-21 09:27:33 +01:00
zorro zorro: Set up z->dev.dma_mask for the DMA API 2018-05-30 07:49:11 +02:00
Kconfig
Makefile usb: build drivers/usb/common/ when USB_SUPPORT is set 2018-02-25 11:03:38 +01:00