evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers
History
Yunsheng Lin e89a59dca1 net: hns: Fix a skb used after free bug 
skb maybe freed in hns_nic_net_xmit_hw() and return NETDEV_TX_OK,
which cause hns_nic_net_xmit to use a freed skb.

BUG: KASAN: use-after-free in hns_nic_net_xmit_hw+0x62c/0x940...
	[17659.112635]      alloc_debug_processing+0x18c/0x1a0
	[17659.117208]      __slab_alloc+0x52c/0x560
	[17659.120909]      kmem_cache_alloc_node+0xac/0x2c0
	[17659.125309]      __alloc_skb+0x6c/0x260
	[17659.128837]      tcp_send_ack+0x8c/0x280
	[17659.132449]      __tcp_ack_snd_check+0x9c/0xf0
	[17659.136587]      tcp_rcv_established+0x5a4/0xa70
	[17659.140899]      tcp_v4_do_rcv+0x27c/0x620
	[17659.144687]      tcp_prequeue_process+0x108/0x170
	[17659.149085]      tcp_recvmsg+0x940/0x1020
	[17659.152787]      inet_recvmsg+0x124/0x180
	[17659.156488]      sock_recvmsg+0x64/0x80
	[17659.160012]      SyS_recvfrom+0xd8/0x180
	[17659.163626]      __sys_trace_return+0x0/0x4
	[17659.167506] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=23 cpu=1 pid=13
	[17659.174000]      free_debug_processing+0x1d4/0x2c0
	[17659.178486]      __slab_free+0x240/0x390
	[17659.182100]      kmem_cache_free+0x24c/0x270
	[17659.186062]      kfree_skbmem+0xa0/0xb0
	[17659.189587]      __kfree_skb+0x28/0x40
	[17659.193025]      napi_gro_receive+0x168/0x1c0
	[17659.197074]      hns_nic_rx_up_pro+0x58/0x90
	[17659.201038]      hns_nic_rx_poll_one+0x518/0xbc0
	[17659.205352]      hns_nic_common_poll+0x94/0x140
	[17659.209576]      net_rx_action+0x458/0x5e0
	[17659.213363]      __do_softirq+0x1b8/0x480
	[17659.217062]      run_ksoftirqd+0x64/0x80
	[17659.220679]      smpboot_thread_fn+0x224/0x310
	[17659.224821]      kthread+0x150/0x170
	[17659.228084]      ret_from_fork+0x10/0x40

	BUG: KASAN: use-after-free in hns_nic_net_xmit+0x8c/0xc0...
	[17751.080490]      __slab_alloc+0x52c/0x560
	[17751.084188]      kmem_cache_alloc+0x244/0x280
	[17751.088238]      __build_skb+0x40/0x150
	[17751.091764]      build_skb+0x28/0x100
	[17751.095115]      __alloc_rx_skb+0x94/0x150
	[17751.098900]      __napi_alloc_skb+0x34/0x90
	[17751.102776]      hns_nic_rx_poll_one+0x180/0xbc0
	[17751.107097]      hns_nic_common_poll+0x94/0x140
	[17751.111333]      net_rx_action+0x458/0x5e0
	[17751.115123]      __do_softirq+0x1b8/0x480
	[17751.118823]      run_ksoftirqd+0x64/0x80
	[17751.122437]      smpboot_thread_fn+0x224/0x310
	[17751.126575]      kthread+0x150/0x170
	[17751.129838]      ret_from_fork+0x10/0x40
	[17751.133454] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=19 cpu=7 pid=43
	[17751.139951]      free_debug_processing+0x1d4/0x2c0
	[17751.144436]      __slab_free+0x240/0x390
	[17751.148051]      kmem_cache_free+0x24c/0x270
	[17751.152014]      kfree_skbmem+0xa0/0xb0
	[17751.155543]      __kfree_skb+0x28/0x40
	[17751.159022]      napi_gro_receive+0x168/0x1c0
	[17751.163074]      hns_nic_rx_up_pro+0x58/0x90
	[17751.167041]      hns_nic_rx_poll_one+0x518/0xbc0
	[17751.171358]      hns_nic_common_poll+0x94/0x140
	[17751.175585]      net_rx_action+0x458/0x5e0
	[17751.179373]      __do_softirq+0x1b8/0x480
	[17751.183076]      run_ksoftirqd+0x64/0x80
	[17751.186691]      smpboot_thread_fn+0x224/0x310
	[17751.190826]      kthread+0x150/0x170
	[17751.194093]      ret_from_fork+0x10/0x40

Change-Id: I5fbdea5d0264c79dbcc91f8519cda1004b667866
Fixes: 13ac695e7ea1 ("net:hns: Add support of Hip06 SoC to the Hislicon Network Subsystem")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: lipeng <lipeng321@huawei.com>
Reported-by: Jun He <hjat2005@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Git-commit: 27463ad99f738ed93c7c8b3e2e5bc8c4853a2ff2
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>
Acked-By: Chinmay Agarwal <chinagar@qti.qualcomm.com>
[ tejaswit@codeaurora.org : resolved minor conflicts ]
Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
2018-09-04 04:34:27 -07:00
..
accessibility
acpi ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices 2018-08-15 17:42:05 +02:00
amba ARM: amba: Don't read past the end of sysfs "driver_override" buffer 2018-05-02 07:53:42 -07:00
android Merge android-4.4.142 (8ec9fd8) into msm-4.4 2018-08-03 16:59:20 +05:30
ata libata: Fix command retry decision 2018-08-06 16:24:36 +02:00
atm atm: zatm: Fix potential Spectre v1 2018-07-22 14:25:52 +02:00
auxdisplay
base Merge android-4.4.148 (f057ff9) into msm-4.4 2018-08-24 00:07:01 +05:30
bcma
bif
block Merge android-4.4.141 (b1bad9e) into msm-4.4 2018-07-24 12:10:47 +05:30
bluetooth Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
bus bus: brcmstb_gisb: correct support for 64-bit address output 2018-04-13 19:50:05 +02:00
cdrom cdrom: do not call check_disk_change() inside cdrom_open() 2018-05-30 07:49:13 +02:00
char Merge "diag: Add protection before accessing md_session_map" 2018-09-01 16:12:33 -07:00
clk Merge android-4.4.144 (4b2d6ba) into msm-4.4 2018-08-03 17:05:13 +05:30
clocksource Merge android-4.4.135 (c9d74f2) into msm-4.4 2018-06-27 14:42:55 +05:30
connector
cpufreq Merge android-4.4.142 (8ec9fd8) into msm-4.4 2018-08-03 16:59:20 +05:30
cpuidle Merge android-4.4.139 (7ba5557) into msm-4.4 2018-07-03 12:24:56 -07:00
crypto Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
dca
devfreq Merge "devfreq: suppress platform driver bind / unbind feature" 2018-06-19 08:12:57 -07:00
dio
dma Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
dma-buf
edac Merge android-4.4.128 (89904cc) into msm-4.4 2018-04-20 13:05:36 +05:30
eisa
esoc esoc: Use standard reset time for mdm9x55 atomic reset 2018-04-17 21:47:45 -07:00
extcon Merge android-4.4.100 (482cc74) into msm-4.4 2017-12-26 18:37:32 +05:30
firewire firewire-ohci: work around oversized DMA reads on JMicron controllers 2018-05-30 07:48:52 +02:00
firmware Merge android-4.4.135 (c9d74f2) into msm-4.4 2018-06-27 14:42:55 +05:30
fmc
fpga
gpio gpio: No NULL owner 2018-06-16 09:54:26 +02:00
gpu Merge "drm: Pass CRTC ID in userspace vblank events" 2018-09-01 16:12:40 -07:00
hid Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
hsi HSI: ssi_protocol: double free in ssip_pn_xmit() 2018-03-24 10:58:42 +01:00
hv Drivers: hv: vmbus: fix build warning 2018-02-25 11:03:46 +01:00
hwmon platform: msm: resolve NULL pointer dereference issue 2018-08-16 11:45:37 +08:00
hwspinlock
hwtracing Merge android-4.4.137 (a2e2217) into msm-4.4 2018-06-27 14:45:25 +05:30
i2c Merge android-4.4.150 (5541782) into msm-4.4 2018-08-28 16:40:54 +05:30
ide cdrom: do not call check_disk_change() inside cdrom_open() 2018-05-30 07:49:13 +02:00
idle idle: i7300: add PCI dependency 2018-02-25 11:03:51 +01:00
iio Merge android-4.4.139 (7ba5557) into msm-4.4 2018-07-03 12:24:56 -07:00
infiniband IB/ocrdma: fix out of bounds access to local buffer 2018-08-15 17:42:06 +02:00
input Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
iommu iommu/arm-smmu: Add Hibernation support 2018-08-21 11:16:37 -07:00
ipack
irqchip Merge android-4.4.135 (c9d74f2) into msm-4.4 2018-06-27 14:42:55 +05:30
isdn isdn: eicon: fix a missing-check bug 2018-06-13 16:15:28 +02:00
leds Merge "leds: qpnp-flash-v2: Modify current code calculation" 2018-05-02 04:54:41 -07:00
lguest
lightnvm
macintosh
mailbox
mcb
md Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
media Merge "msm:ais:Handling bigger value than upper bound in msm_cpp_irq api" 2018-08-30 13:05:56 -07:00
memory memory: tegra: Apply interrupts mask per SoC 2018-08-06 16:24:38 +02:00
memstick
message scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() 2018-05-30 07:48:58 +02:00
mfd Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
misc Merge android-4.4.141 (b1bad9e) into msm-4.4 2018-07-24 12:10:47 +05:30
mmc mmc: core: Use mmc_get_cd_gpio to get cd gpio status in resume path 2018-07-26 18:22:44 +05:30
mtd Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
net net: hns: Fix a skb used after free bug 2018-09-04 04:34:27 -07:00
nfc Merge android-4.4.127 (d6bbe8b) into msm-4.4 2018-04-20 12:27:57 +05:30
ntb ntb_transport: Fix bug with max_mw_size parameter 2018-05-30 07:48:55 +02:00
nubus
nvdimm linvdimm, pmem: Preserve read-only setting for pmem devices 2018-07-03 11:21:31 +02:00
nvme nvme-pci: initialize queue memory before interrupts 2018-07-11 16:03:47 +02:00
nvmem
of Merge android-4.4.139 (7ba5557) into msm-4.4 2018-07-03 12:24:56 -07:00
oprofile
parisc parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode 2018-05-30 07:49:10 +02:00
parport parport_pc: Add support for WCH CH382L PCI-E single parallel port card. 2018-04-08 11:52:00 +02:00
pci Merge android-4.4.148 (f057ff9) into msm-4.4 2018-08-24 00:07:01 +05:30
pcmcia
perf Merge android-4.4.127 (d6bbe8b) into msm-4.4 2018-04-20 12:27:57 +05:30
phy Merge android-4.4.113 (ef588ef) into msm-4.4 2018-01-24 18:27:37 +05:30
pinctrl Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
platform Merge "msm: ipa3: Add mutex to prevent race condition" 2018-08-29 17:20:36 -07:00
pnp
power power: smb2: expose CHARGE_FULL/CYCLE_COUNT properties 2018-07-16 16:27:13 +05:30
powercap PowerCap: Fix an error code in powercap_register_zone() 2018-04-13 19:50:05 +02:00
pps
ps3
ptp ptp: fix missing break in switch 2018-07-25 10:18:17 +02:00
pwm Merge android-4.4.127 (d6bbe8b) into msm-4.4 2018-04-20 12:27:57 +05:30
rapidio
ras
regulator Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
remoteproc
reset
rpmsg
rtc Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
s390 scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread 2018-07-03 11:21:31 +02:00
sbus
scsi Merge android-4.4.148 (f057ff9) into msm-4.4 2018-08-24 00:07:01 +05:30
sensors
sfi
sh
slimbus slimbus: Avoid uninitialized variable access 2018-03-20 19:25:09 +05:30
sn
soc icnss: Add a flag to indicare FW rejuvenate 2018-08-30 02:21:41 -07:00
soundwire
spi Merge android-4.4.139 (7ba5557) into msm-4.4 2018-07-03 12:24:56 -07:00
spmi spmi: pmic-arb: support updating interrupt type flags 2018-05-11 10:08:19 +08:00
ssb ssb: mark ssb_bus_register as __maybe_unused 2018-02-25 11:03:44 +01:00
staging Merge android-4.4.140 (789274d) into msm-4.4 2018-07-18 15:09:28 +05:30
switch
target tcm_fileio: Prevent information leak for short reads 2018-03-24 10:58:45 +01:00
tc
tee BACKPORT: tee: shm: Potential NULL dereference calling tee_shm_register() 2018-02-21 15:40:49 +00:00
thermal Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
thunderbolt thunderbolt: Resume control channel after hibernation image is created 2018-04-24 09:32:07 +02:00
tty Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
uio uio: msm_sharedmem: add guard page around shared memory 2018-08-16 08:00:12 -07:00
usb Merge "USB: core: only clean up what we allocated" 2018-08-30 13:05:53 -07:00
uwb
vfio vfio/pci: Virtualize Maximum Read Request Size 2018-04-24 09:32:09 +02:00
vhost vhost_net: validate sock before trying to put its fd 2018-07-22 14:25:53 +02:00
video Merge "msm: mdss: Change function from disbale_irq_nosync to disbale_irq" 2018-08-07 15:24:14 -07:00
virt
virtio Merge android-4.4.146 (13962260) into msm-4.4 2018-08-07 15:36:56 +05:30
vlynq
vme
w1 This is the 4.4.139 stable release 2018-07-03 18:23:34 +02:00
watchdog watchdog: f71808e_wdt: Fix magic close handling 2018-05-30 07:49:03 +02:00
xen xen: Remove unnecessary BUG_ON from __unbind_from_irq() 2018-07-03 11:21:34 +02:00
zorro zorro: Set up z->dev.dma_mask for the DMA API 2018-05-30 07:49:11 +02:00
Kconfig Merge android-4.4.104 (8bc4213) into msm-4.4 2018-01-02 18:31:53 +05:30
Makefile Merge android-4.4.118 (5f7f76a) into msm-4.4 2018-03-01 17:20:34 +05:30