korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-17 09:14:19 +08:00
Code Issues Packages Projects Releases Wiki Activity
50fd85a1f9
linux/net/rxrpc
History
David Howells 50fd85a1f9 rxrpc: Fix a use-after-push in data_ready handler 
Fix a use of a packet after it has been enqueued onto the packet processing
queue in the data_ready handler.  Once on a call's Rx queue, we mustn't
touch it any more as it may be dequeued and freed by the call processor
running on a work queue.

Save the values we need before enqueuing.

Without this, we can get an oops like the following:

BUG: unable to handle kernel NULL pointer dereference at 000000000000009c
IP: [<ffffffffa01854e8>] rxrpc_fast_process_packet+0x724/0xa11 [af_rxrpc]
PGD 0 
Oops: 0000 [#1] SMP
Modules linked in: kafs(E) af_rxrpc(E) [last unloaded: af_rxrpc]
CPU: 2 PID: 0 Comm: swapper/2 Tainted: G            E   4.7.0-fsdevel+ #1336
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
task: ffff88040d6863c0 task.stack: ffff88040d68c000
RIP: 0010:[<ffffffffa01854e8>]  [<ffffffffa01854e8>] rxrpc_fast_process_packet+0x724/0xa11 [af_rxrpc]
RSP: 0018:ffff88041fb03a78  EFLAGS: 00010246
RAX: ffffffffffffffff RBX: ffff8803ff195b00 RCX: 0000000000000001
RDX: ffffffffa01854d1 RSI: 0000000000000008 RDI: ffff8803ff195b00
RBP: ffff88041fb03ab0 R08: 0000000000000000 R09: 0000000000000001
R10: ffff88041fb038c8 R11: 0000000000000000 R12: ffff880406874800
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88041fb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000009c CR3: 0000000001c14000 CR4: 00000000001406e0
Stack:
 ffff8803ff195ea0 ffff880408348800 ffff880406874800 ffff8803ff195b00
 ffff880408348800 ffff8803ff195ed8 0000000000000000 ffff88041fb03af0
 ffffffffa0186072 0000000000000000 ffff8804054da000 0000000000000000
Call Trace:
 <IRQ> 
 [<ffffffffa0186072>] rxrpc_data_ready+0x89d/0xbae [af_rxrpc]
 [<ffffffff814c94d7>] __sock_queue_rcv_skb+0x24c/0x2b2
 [<ffffffff8155c59a>] __udp_queue_rcv_skb+0x4b/0x1bd
 [<ffffffff8155e048>] udp_queue_rcv_skb+0x281/0x4db
 [<ffffffff8155ea8f>] __udp4_lib_rcv+0x7ed/0x963
 [<ffffffff8155ef9a>] udp_rcv+0x15/0x17
 [<ffffffff81531d86>] ip_local_deliver_finish+0x1c3/0x318
 [<ffffffff81532544>] ip_local_deliver+0xbb/0xc4
 [<ffffffff81531bc3>] ? inet_del_offload+0x40/0x40
 [<ffffffff815322a9>] ip_rcv_finish+0x3ce/0x42c
 [<ffffffff81532851>] ip_rcv+0x304/0x33d
 [<ffffffff81531edb>] ? ip_local_deliver_finish+0x318/0x318
 [<ffffffff814dff9d>] __netif_receive_skb_core+0x601/0x6e8
 [<ffffffff814e072e>] __netif_receive_skb+0x13/0x54
 [<ffffffff814e082a>] netif_receive_skb_internal+0xbb/0x17c
 [<ffffffff814e1838>] napi_gro_receive+0xf9/0x1bd
 [<ffffffff8144eb9f>] rtl8169_poll+0x32b/0x4a8
 [<ffffffff814e1c7b>] net_rx_action+0xe8/0x357
 [<ffffffff81051074>] __do_softirq+0x1aa/0x414
 [<ffffffff810514ab>] irq_exit+0x3d/0xb0
 [<ffffffff810184a2>] do_IRQ+0xe4/0xfc
 [<ffffffff81612053>] common_interrupt+0x93/0x93
 <EOI> 
 [<ffffffff814af837>] ? cpuidle_enter_state+0x1ad/0x2be
 [<ffffffff814af832>] ? cpuidle_enter_state+0x1a8/0x2be
 [<ffffffff814af96a>] cpuidle_enter+0x12/0x14
 [<ffffffff8108956f>] call_cpuidle+0x39/0x3b
 [<ffffffff81089855>] cpu_startup_entry+0x230/0x35d
 [<ffffffff810312ea>] start_secondary+0xf4/0xf7

Signed-off-by: David Howells <dhowells@redhat.com>
2016-08-09 17:13:55 +01:00
..
af_rxrpc.c rxrpc: Fix error handling in af_rxrpc_init() 2016-07-12 11:07:38 -07:00
ar-internal.h rxrpc: Fix races between skb free, ACK generation and replying 2016-08-06 00:08:40 -04:00
call_accept.c rxrpc: Fix races between skb free, ACK generation and replying 2016-08-06 00:08:40 -04:00
call_event.c rxrpc: Don't access connection from call if pointer is NULL 2016-08-09 17:12:23 +01:00
call_object.c rxrpc: Need to flag call as being released on connect failure 2016-08-09 17:12:23 +01:00
conn_client.c rxrpc: Use RCU to access a peer's service connection tree 2016-07-06 10:51:14 +01:00
conn_event.c rxrpc: Call channels should have separate call number spaces 2016-07-06 10:43:52 +01:00
conn_object.c rxrpc: Use RCU to access a peer's service connection tree 2016-07-06 10:51:14 +01:00
conn_service.c rxrpc: checking for IS_ERR() instead of NULL 2016-07-15 14:16:25 -07:00
input.c rxrpc: Fix a use-after-push in data_ready handler 2016-08-09 17:13:55 +01:00
insecure.c rxrpc: Avoid using stack memory in SG lists in rxkad 2016-07-06 10:43:05 +01:00
Kconfig rxrpc: Absorb the rxkad security module 2016-04-11 15:34:41 -04:00
key.c rxrpc: Use structs to hold connection params and protocol info 2016-06-22 09:09:59 +01:00
local_event.c rxrpc: Rework local endpoint management 2016-06-15 15:38:17 +01:00
local_object.c rxrpc: Add RCU destruction for connections and calls 2016-07-06 10:43:51 +01:00
Makefile rxrpc: Split service connection code out into its own file 2016-07-06 10:49:35 +01:00
misc.c rxrpc: Limit the listening backlog 2016-06-10 18:14:47 -07:00
output.c rxrpc: Kill off the rxrpc_transport struct 2016-06-22 14:00:23 +01:00
peer_event.c rxrpc: Use the peer record to distribute network errors 2016-06-15 10:15:16 +01:00
peer_object.c rxrpc: Use RCU to access a peer's service connection tree 2016-07-06 10:51:14 +01:00
proc.c rxrpc: Call channels should have separate call number spaces 2016-07-06 10:43:52 +01:00
recvmsg.c rxrpc: Fix races between skb free, ACK generation and replying 2016-08-06 00:08:40 -04:00
rxkad.c rxrpc: Call channels should have separate call number spaces 2016-07-06 10:43:52 +01:00
security.c rxrpc: Replace conn->trans->{local,peer} with conn->params.{local,peer} 2016-06-22 09:10:00 +01:00
skbuff.c rxrpc: Fix races between skb free, ACK generation and replying 2016-08-06 00:08:40 -04:00
sysctl.c rxrpc: Kill off the rxrpc_transport struct 2016-06-22 14:00:23 +01:00
utils.c rxrpc: Move data_ready peer lookup into rxrpc_find_connection() 2016-07-06 10:51:14 +01:00