evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers
History
Eric Dumazet 499744209b tuntap: dont use skb after netif_rx_ni(skb) 
On Wed, 2012-12-12 at 23:16 -0500, Dave Jones wrote:
> Since todays net merge, I see this when I start openvpn..
>
> general protection fault: 0000 [#1] PREEMPT SMP
> Modules linked in: ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables xfs iTCO_wdt iTCO_vendor_support snd_emu10k1 snd_util_mem snd_ac97_codec coretemp ac97_bus microcode snd_hwdep snd_seq pcspkr snd_pcm snd_page_alloc snd_timer lpc_ich i2c_i801 snd_rawmidi mfd_core snd_seq_device snd e1000e soundcore emu10k1_gp gameport i82975x_edac edac_core vhost_net tun macvtap macvlan kvm_intel kvm binfmt_misc nfsd auth_rpcgss nfs_acl lockd sunrpc btrfs libcrc32c zlib_deflate firewire_ohci sata_sil firewire_core crc_itu_t radeon i2c_algo_bit drm_kms_helper ttm drm i2c_core floppy
> CPU 0
> Pid: 1381, comm: openvpn Not tainted 3.7.0+ #14                  /D975XBX
> RIP: 0010:[<ffffffff815b54a4>]  [<ffffffff815b54a4>] skb_flow_dissect+0x314/0x3e0
> RSP: 0018:ffff88007d0d9c48  EFLAGS: 00010206
> RAX: 000000000000055d RBX: 6b6b6b6b6b6b6b4b RCX: 1471030a0180040a
> RDX: 0000000000000005 RSI: 00000000ffffffe0 RDI: ffff8800ba83fa80
> RBP: ffff88007d0d9cb8 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000101 R12: ffff8800ba83fa80
> R13: 0000000000000008 R14: ffff88007d0d9cc8 R15: ffff8800ba83fa80
> FS:  00007f6637104800(0000) GS:ffff8800bf600000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f563f5b01c4 CR3: 000000007d140000 CR4: 00000000000007f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Process openvpn (pid: 1381, threadinfo ffff88007d0d8000, task ffff8800a540cd60)
> Stack:
>  ffff8800ba83fa80 0000000000000296 0000000000000000 0000000000000000
>  ffff88007d0d9cc8 ffffffff815bcff4 ffff88007d0d9ce8 ffffffff815b1831
>  ffff88007d0d9ca8 00000000703f6364 ffff8800ba83fa80 0000000000000000
> Call Trace:
>  [<ffffffff815bcff4>] ? netif_rx+0x114/0x4c0
>  [<ffffffff815b1831>] ? skb_copy_datagram_from_iovec+0x61/0x290
>  [<ffffffff815b672a>] __skb_get_rxhash+0x1a/0xd0
>  [<ffffffffa03b9538>] tun_get_user+0x418/0x810 [tun]
>  [<ffffffff8135f468>] ? delay_tsc+0x98/0xf0
>  [<ffffffff8109605c>] ? __rcu_read_unlock+0x5c/0xa0
>  [<ffffffffa03b9a41>] tun_chr_aio_write+0x81/0xb0 [tun]
>  [<ffffffff81145011>] ? __buffer_unlock_commit+0x41/0x50
>  [<ffffffff811db917>] do_sync_write+0xa7/0xe0
>  [<ffffffff811dc01f>] vfs_write+0xaf/0x190
>  [<ffffffff811dc375>] sys_write+0x55/0xa0
>  [<ffffffff81705540>] tracesys+0xdd/0xe2
> Code: 41 8b 44 24 68 41 2b 44 24 6c 01 de 29 f0 83 f8 03 0f 8e a0 00 00 00 48 63 de 49 03 9c 24 e0 00 00 00 48 85 db 0f 84 72 fe ff ff <8b> 03 41 89 46 08 b8 01 00 00 00 e9 43 fd ff ff 0f 1f 40 00 48
> RIP  [<ffffffff815b54a4>] skb_flow_dissect+0x314/0x3e0
>  RSP <ffff88007d0d9c48>
> ---[ end trace 6d42c834c72c002e ]---
>
>
> Faulting instruction is
>
>    0:	8b 03                	mov    (%rbx),%eax
>
> rbx is slab poison (-20) so this looks like a use-after-free here...
>
>                         flow->ports = *ports;
>  314:   8b 03                   mov    (%rbx),%eax
>  316:   41 89 46 08             mov    %eax,0x8(%r14)
>
> in the inlined skb_header_pointer in skb_flow_dissect
>
> 	Dave
>

commit 96442e4242 (tuntap: choose the txq based on rxq) added
a use after free.

Cache rxhash in a temp variable before calling netif_rx_ni()

Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jason Wang <jasowang@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-12-13 12:58:11 -05:00
..
accessibility
acpi Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2012-12-12 07:57:13 -08:00
amba ARM: arm-soc: Cleanups on various subarchitectures 2012-12-12 11:51:39 -08:00
ata ARM: arm-soc: Header cleanups 2012-12-12 11:45:16 -08:00
atm solos-pci: fix double-free of TX skb in DMA mode 2012-12-12 00:16:47 -05:00
auxdisplay
base regmap: Updates for v3.8 2012-12-12 07:55:48 -08:00
bcma bcma: mips: fix clearing device IRQ 2012-12-10 15:49:53 -05:00
block mtip32xx: Fix padding issue 2012-11-23 14:32:55 +01:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-12-12 18:07:07 -08:00
bus
cdrom
char ARM: arm-soc: Header cleanups 2012-12-12 11:45:16 -08:00
clk ARM: arm-soc: SoC updates for 3.8 2012-12-12 12:05:15 -08:00
clocksource ARM: arm-soc: SoC updates for 3.8 2012-12-12 12:05:15 -08:00
connector
cpufreq ACPI and power management updates for 3.8-rc1 2012-12-11 12:45:35 -08:00
cpuidle ARM: arm-soc: SoC updates for 3.8 2012-12-12 12:05:15 -08:00
crypto ARM: arm-soc: Cleanups on various subarchitectures 2012-12-12 11:51:39 -08:00
dca
devfreq Merge branch 'pm-devfreq' 2012-12-07 23:13:36 +01:00
dio
dma Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-12-12 18:07:07 -08:00
edac Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp 2012-12-11 11:28:43 -08:00
eisa
extcon extcon: remove use of __devexit_p 2012-11-26 15:57:24 -08:00
firewire Driver core updates for 3.8-rc1 2012-12-11 13:13:55 -08:00
firmware efi_pstore: Add a format check for an existing variable name at erasing time 2012-11-26 16:08:37 -08:00
gpio ARM: arm-soc: Cleanups on various subarchitectures 2012-12-12 11:51:39 -08:00
gpu Revert "revert "Revert "mm: remove __GFP_NO_KSWAPD""" and associated damage 2012-12-10 11:03:05 -08:00
hid
hsi
hv hv: hv_balloon: mark a function static 2012-11-21 12:46:40 -08:00
hwmon Driver core updates for 3.8-rc1 2012-12-11 13:13:55 -08:00
hwspinlock hwspinlock: remove use of __devexit 2012-11-28 11:41:36 -08:00
i2c ARM: arm-soc: Cleanups on various subarchitectures 2012-12-12 11:51:39 -08:00
ide
idle cpuidle: Measure idle state durations with monotonic clock 2012-11-27 14:17:58 +01:00
iio iio: imu: adis16480: remove duplicated include from adis16480.c 2012-11-30 13:11:46 +00:00
infiniband
input ARM: arm-soc: Header cleanups 2012-12-12 11:45:16 -08:00
iommu ARM: arm-soc: Header cleanups 2012-12-12 11:45:16 -08:00
ipack TTY/Serial merge for 3.8-rc1 2012-12-11 14:08:47 -08:00
irqchip Fixes in sunXi related drivers for 3.8 2012-12-07 16:29:05 -08:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-12-12 18:07:07 -08:00
leds ARM: arm-soc: Board updates for 3.8 2012-12-12 12:14:06 -08:00
lguest
macintosh bootmem: fix wrong call parameter for free_bootmem() 2012-12-11 17:22:28 -08:00
md Single bugfix for raid1/raid10. 2012-12-02 16:24:31 -08:00
media ARM: arm-soc: SoC updates for 3.8 2012-12-12 12:05:15 -08:00
memory
memstick
message
mfd ARM: arm-soc: SoC updates for 3.8 2012-12-12 12:05:15 -08:00
misc TTY/Serial merge for 3.8-rc1 2012-12-11 14:08:47 -08:00
mmc ARM: arm-soc: Cleanups on various subarchitectures 2012-12-12 11:51:39 -08:00
mtd ARM: arm-soc: SoC updates for 3.8 2012-12-12 12:05:15 -08:00
net tuntap: dont use skb after netif_rx_ni(skb) 2012-12-13 12:58:11 -05:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-11-25 12:49:17 -05:00
nubus
of Fix build when CONFIG_W1_MASTER_GPIO=m b exporting "allnodes" 2012-11-30 10:04:06 +00:00
oprofile
parisc
parport
pci Driver core updates for 3.8-rc1 2012-12-11 13:13:55 -08:00
pcmcia ARM: arm-soc: Header cleanups 2012-12-12 11:45:16 -08:00
pinctrl ARM: arm-soc: SoC updates for 3.8 2012-12-12 12:05:15 -08:00
platform
pnp Driver core updates for 3.8-rc1 2012-12-11 13:13:55 -08:00
power Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2012-12-12 07:57:13 -08:00
pps
ps3
ptp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-12-12 18:07:07 -08:00
pwm pwm: remove use of __devexit 2012-11-28 12:23:41 -08:00
rapidio Driver core updates for 3.8-rc1 2012-12-11 13:13:55 -08:00
regulator
remoteproc remoteproc: fix error path of ->find_vqs 2012-11-29 10:05:09 +02:00
rpmsg
rtc ARM: arm-soc: Cleanups on various subarchitectures 2012-12-12 11:51:39 -08:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-12-12 18:07:07 -08:00
sbus
scsi megaraid: fix BUG_ON() from incorrect use of delayed work 2012-12-04 07:29:47 -08:00
sfi
sh
sn
spi ARM: arm-soc: Header cleanups 2012-12-12 11:45:16 -08:00
ssb ssb: use WARN in main.c 2012-12-10 15:47:32 -05:00
staging Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/signal 2012-12-12 12:22:13 -08:00
target
tc
thermal Thermal: Fix DEFAULT_THERMAL_GOVERNOR 2012-12-12 15:34:48 +08:00
tty ARM: arm-soc: SoC updates for 3.8 2012-12-12 12:05:15 -08:00
uio ARM: arm-soc: SoC updates for 3.8 2012-12-12 12:05:15 -08:00
usb ARM: arm-soc: Cleanups on various subarchitectures 2012-12-12 11:51:39 -08:00
uwb uwb: fix uwb_dev_unlock() missed at an error path in uwb_rc_cmd_async() 2012-11-26 15:58:43 -08:00
vfio
vhost tcm_vhost: remove unused variable in vhost_scsi_allocate_cmd() 2012-12-06 17:09:19 +02:00
video ARM: arm-soc: SoC updates for 3.8 2012-12-12 12:05:15 -08:00
virt
virtio virtio_balloon: introduce migration primitives to balloon pages 2012-12-11 17:22:27 -08:00
vlynq
vme
w1 w1-gpio: Simplify & get rid of defines 2012-11-26 16:16:35 -08:00
watchdog ARM: arm-soc: Cleanups on various subarchitectures 2012-12-12 11:51:39 -08:00
xen Char/Misc driver merge for 3.8-rc1 2012-12-11 13:56:38 -08:00
zorro
Kconfig
Makefile