Feng Sun e6198d2b4f net: fix skb use after free in netpoll ... [ Upstream commit 2c1644cf6d46a8267d79ed95cb9b563839346562 ] After commit baeababb5b ("tun: return NET_XMIT_DROP for dropped packets"), when tun_net_xmit drop packets, it will free skb and return NET_XMIT_DROP, netpoll_send_skb_on_dev will run into following use after free cases: 1. retry netpoll_start_xmit with freed skb; 2. queue freed skb in npinfo->txq. queue_process will also run into use after free case. hit netpoll_send_skb_on_dev first case with following kernel log: [ 117.864773] kernel BUG at mm/slub.c:306! [ 117.864773] invalid opcode: 0000 [#1] SMP PTI [ 117.864774] CPU: 3 PID: 2627 Comm: loop_printmsg Kdump: loaded Tainted: P OE 5.3.0-050300rc5-generic #201908182231 [ 117.864775] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 117.864775] RIP: 0010:kmem_cache_free+0x28d/0x2b0 [ 117.864781] Call Trace: [ 117.864781] ? tun_net_xmit+0x21c/0x460 [ 117.864781] kfree_skbmem+0x4e/0x60 [ 117.864782] kfree_skb+0x3a/0xa0 [ 117.864782] tun_net_xmit+0x21c/0x460 [ 117.864782] netpoll_start_xmit+0x11d/0x1b0 [ 117.864788] netpoll_send_skb_on_dev+0x1b8/0x200 [ 117.864789] __br_forward+0x1b9/0x1e0 [bridge] [ 117.864789] ? skb_clone+0x53/0xd0 [ 117.864790] ? __skb_clone+0x2e/0x120 [ 117.864790] deliver_clone+0x37/0x50 [bridge] [ 117.864790] maybe_deliver+0x89/0xc0 [bridge] [ 117.864791] br_flood+0x6c/0x130 [bridge] [ 117.864791] br_dev_xmit+0x315/0x3c0 [bridge] [ 117.864792] netpoll_start_xmit+0x11d/0x1b0 [ 117.864792] netpoll_send_skb_on_dev+0x1b8/0x200 [ 117.864792] netpoll_send_udp+0x2c6/0x3e8 [ 117.864793] write_msg+0xd9/0xf0 [netconsole] [ 117.864793] console_unlock+0x386/0x4e0 [ 117.864793] vprintk_emit+0x17e/0x280 [ 117.864794] vprintk_default+0x29/0x50 [ 117.864794] vprintk_func+0x4c/0xbc [ 117.864794] printk+0x58/0x6f [ 117.864795] loop_fun+0x24/0x41 [printmsg_loop] [ 117.864795] kthread+0x104/0x140 [ 117.864795] ? 0xffffffffc05b1000 [ 117.864796] ? kthread_park+0x80/0x80 [ 117.864796] ret_from_fork+0x35/0x40 Signed-off-by: Feng Sun <loyou85@gmail.com> Signed-off-by: Xiaojun Zhao <xiaojunzhao141@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2019-09-10 10:29:50 +01:00
..
6lowpan
9p	9p/virtio: Add cleanup path in p9_virtio_init	2019-08-04 09:34:51 +02:00
802
8021q	vlan: disable SIOCSHWTSTAMP in container	2019-05-16 19:45:17 +02:00
appletalk	appletalk: Fix use-after-free in atalk_proc_exit	2019-04-27 09:33:59 +02:00
atm	net: atm: Fix potential Spectre v1 vulnerabilities	2019-04-27 09:33:59 +02:00
ax25	ax25: fix inconsistent lock state in ax25_destroy_timer	2019-06-22 08:18:25 +02:00
batman-adv	batman-adv: fix for leaked TVLV handler.	2019-08-04 09:34:39 +02:00
bluetooth	Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug	2019-08-04 09:34:53 +02:00
bridge	netfilter: ebtables: fix a memory leak bug in compat	2019-09-06 10:18:04 +02:00
caif
can	can: purge socket error queue on sock destruct	2019-07-10 09:56:33 +02:00
ceph	libceph: handle an empty authorize reply	2019-03-23 08:44:18 +01:00
core	net: fix skb use after free in netpoll	2019-09-10 10:29:50 +01:00
dcb
dccp	dccp: do not use ipv6 header for ipv4 flow	2019-04-03 06:23:25 +02:00
decnet
dns_resolver
dsa	net: dsa: slave: Don't propagate flag changes on down slave interfaces	2019-02-20 10:13:15 +01:00
ethernet
hsr	net/hsr: fix possible crash in add_timer()	2019-03-23 08:44:31 +01:00
ieee802154	inet: frags: fix ip6frag_low_thresh boundary	2019-02-08 11:25:32 +01:00
ipv4	inet: switch IP ID generator to siphash	2019-09-06 10:18:13 +02:00
ipv6	inet: switch IP ID generator to siphash	2019-09-06 10:18:13 +02:00
ipx
irda
iucv	af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers	2018-11-10 07:41:35 -08:00
key	af_key: fix leaks in key_pol_get_resp and dump_sp.	2019-08-04 09:34:42 +02:00
l2tp	compat_ioctl: pppoe: fix PPPOEIOCSFWD handling	2019-08-11 12:20:46 +02:00
l3mdev
lapb	lapb: fixed leak of control-blocks.	2019-06-22 08:18:25 +02:00
llc	llc: fix skb leak in llc_build_and_send_ui_pkt()	2019-06-11 12:24:06 +02:00
mac80211	mac80211: fix possible sta leak	2019-09-06 10:18:17 +02:00
mac802154
mpls
netfilter	netfilter: conntrack: Use consistent ct id hash calculation	2019-09-06 10:18:13 +02:00
netlabel	netlabel: check for IPV4MASK in addrinfo_get	2018-10-20 09:52:36 +02:00
netlink
netrom	netrom: hold sock when setting skb->destructor	2019-08-04 09:34:54 +02:00
nfc	nfc: fix potential illegal memory access	2019-08-04 09:34:54 +02:00
openvswitch	openvswitch: fix flow actions reallocation	2019-04-27 09:33:54 +02:00
packet	net/packet: fix race in tpacket_snd()	2019-08-25 10:53:05 +02:00
phonet	phonet: fix building with clang	2019-03-23 08:44:34 +01:00
rds	net: rds: fix memory leak in rds_ib_flush_mr_pool	2019-06-11 12:24:12 +02:00
rfkill
rose	net: rose: fix a possible stack overflow	2019-04-03 06:23:25 +02:00
rxrpc
sched	net: sched: Fix a possible null-pointer dereference in dequeue_func()	2019-08-11 12:20:45 +02:00
sctp	sctp: fix the transport error_count check	2019-08-25 10:53:06 +02:00
sunrpc	sunrpc: don't mark uninitialised items as VALID.	2019-05-16 19:44:44 +02:00
switchdev
tipc	tipc: compat: allow tipc commands without arguments	2019-08-11 12:20:45 +02:00
unix	missing barriers in some of unix_sock ->addr and ->path accesses	2019-03-23 08:44:31 +01:00
vmw_vsock	vsock: cope with memory allocation failure at socket creation time	2019-02-23 09:05:13 +01:00
wimax
wireless	Revert "cfg80211: fix processing world regdomain when non modular"	2019-09-06 10:18:17 +02:00
x25	net/x25: fix a race in x25_bind()	2019-03-23 08:44:30 +01:00
xfrm	xfrm: fix sa selector validation	2019-08-04 09:34:46 +02:00
compat.c	sock: Make sock->sk_stamp thread-safe	2019-01-13 10:05:28 +01:00
Kconfig
Makefile
socket.c	sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names	2019-03-23 08:44:21 +01:00
sysctl_net.c