| 2020-01-14 07:46:08 |
Fred Kimmy |
bug |
|
|
added bug |
| 2020-01-14 07:46:29 |
Fred Kimmy |
nominated for series |
|
kunpeng920/ubuntu-18.04 |
|
| 2020-01-14 07:46:29 |
Fred Kimmy |
bug task added |
|
kunpeng920/ubuntu-18.04 |
|
| 2020-01-14 07:46:29 |
Fred Kimmy |
nominated for series |
|
kunpeng920/upstream-kernel |
|
| 2020-01-14 07:46:29 |
Fred Kimmy |
bug task added |
|
kunpeng920/upstream-kernel |
|
| 2020-01-14 07:46:29 |
Fred Kimmy |
nominated for series |
|
kunpeng920/ubuntu-18.04-hwe |
|
| 2020-01-14 07:46:29 |
Fred Kimmy |
bug task added |
|
kunpeng920/ubuntu-18.04-hwe |
|
| 2020-01-14 08:17:43 |
Ike Panhc |
description |
[Bug Description]
Currently, hns3_nic_maybe_stop_tx() uses skb_copy() to linearize a
SKB if the BD num required by the SKB does not meet the hardware
limitation, and it linearizes the SKB by allocating a new linearized SKB
and freeing the old SKB, if hns3_nic_maybe_stop_tx() returns -EBUSY
because there are no enough space in the ring to send the linearized
skb to hardware, the sch_direct_xmit() still hold reference to old SKB
and try to retransmit the old SKB when dev_hard_start_xmit() return
TX_BUSY, which may cause use after freed problem.
[Steps to Reproduce]
1.run IO with high throughput
[Actual Results]
Oops
[Expected Results]
IO ok
[Reproducibility]
Inevitably
[Additional information]
Hardware: D06
Firmware: NA
Kernel: NA
[Resolution]
This patch fixes it by using __skb_linearize() to linearize the
SKB in hns3_nic_maybe_stop_tx().
net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx() |
[Bug Description]
Currently, hns3_nic_maybe_stop_tx() uses skb_copy() to linearize a
SKB if the BD num required by the SKB does not meet the hardware
limitation, and it linearizes the SKB by allocating a new linearized SKB
and freeing the old SKB, if hns3_nic_maybe_stop_tx() returns -EBUSY
because there are no enough space in the ring to send the linearized
skb to hardware, the sch_direct_xmit() still hold reference to old SKB
and try to retransmit the old SKB when dev_hard_start_xmit() return
TX_BUSY, which may cause use after freed problem.
[Steps to Reproduce]
1.run IO with high throughput
[Actual Results]
Oops
[Expected Results]
IO ok
[Reproducibility]
Inevitably
[Additional information]
Hardware: D06
Firmware: NA
Kernel: NA
[Resolution]
This patch fixes it by using __skb_linearize() to linearize the
SKB in hns3_nic_maybe_stop_tx().
d1a37dedcfcf net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx() |
|
| 2020-01-14 08:17:56 |
Ike Panhc |
kunpeng920/upstream-kernel: status |
New |
Fix Committed |
|
| 2020-01-14 08:18:00 |
Ike Panhc |
kunpeng920/upstream-kernel: milestone |
|
linux-v5.5 |
|
| 2020-01-14 08:18:10 |
Ike Panhc |
nominated for series |
|
kunpeng920/ubuntu-20.04 |
|
| 2020-01-14 08:18:10 |
Ike Panhc |
bug task added |
|
kunpeng920/ubuntu-20.04 |
|
| 2020-01-14 08:18:23 |
Ike Panhc |
tags |
|
ikeradar |
|
| 2020-01-15 05:50:40 |
Ike Panhc |
kunpeng920/ubuntu-18.04: status |
New |
Invalid |
|
| 2020-01-15 05:50:44 |
Ike Panhc |
kunpeng920/ubuntu-18.04: status |
Invalid |
Won't Fix |
|
| 2020-01-27 15:12:56 |
dann frazier |
kunpeng920/upstream-kernel: status |
Fix Committed |
Fix Released |
|
| 2020-02-09 07:15:17 |
Ike Panhc |
kunpeng920/ubuntu-20.04: status |
New |
Fix Committed |
|
| 2020-02-09 07:15:23 |
Ike Panhc |
kunpeng920/ubuntu-20.04: milestone |
|
ubuntu-20.04-ga |
|
| 2020-02-09 07:15:31 |
Ike Panhc |
kunpeng920/ubuntu-18.04-hwe: status |
New |
Fix Committed |
|
| 2020-02-09 07:15:36 |
Ike Panhc |
kunpeng920/ubuntu-18.04-hwe: milestone |
|
ubuntu-18.04.5 |
|
| 2020-02-09 07:15:41 |
Ike Panhc |
kunpeng920: status |
New |
Fix Committed |
|
| 2020-02-26 09:33:12 |
Ike Panhc |
tags |
ikeradar |
|
|
| 2020-04-24 10:53:52 |
Andrew Cloke |
kunpeng920/ubuntu-20.04: status |
Fix Committed |
Fix Released |
|
| 2020-08-14 03:30:12 |
Ike Panhc |
kunpeng920/ubuntu-18.04-hwe: status |
Fix Committed |
Fix Released |
|
| 2020-08-14 03:30:16 |
Ike Panhc |
kunpeng920: status |
Fix Committed |
Fix Released |
|
