[hns3-0114]net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx()
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| kunpeng920 |
Fix Released
|
Undecided
|
Unassigned | ||
| Ubuntu-18.04 |
Won't Fix
|
Undecided
|
Unassigned | ||
| Ubuntu-18.04-hwe |
Fix Released
|
Undecided
|
Unassigned | ||
| Ubuntu-20.04 |
Fix Released
|
Undecided
|
Unassigned | ||
| Upstream-kernel |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
[Bug Description]
Currently, hns3_nic_
SKB if the BD num required by the SKB does not meet the hardware
limitation, and it linearizes the SKB by allocating a new linearized SKB
and freeing the old SKB, if hns3_nic_
because there are no enough space in the ring to send the linearized
skb to hardware, the sch_direct_xmit() still hold reference to old SKB
and try to retransmit the old SKB when dev_hard_
TX_BUSY, which may cause use after freed problem.
[Steps to Reproduce]
1.run IO with high throughput
[Actual Results]
Oops
[Expected Results]
IO ok
[Reproducibility]
Inevitably
[Additional information]
Hardware: D06
Firmware: NA
Kernel: NA
[Resolution]
This patch fixes it by using __skb_linearize() to linearize the
SKB in hns3_nic_
d1a37dedcfcf net: hns3: fix a use after free problem in hns3_nic_
| description: | updated |
| tags: | added: ikeradar |
| Ike Panhc (ikepanhc) wrote | #1 |
| Ike Panhc (ikepanhc) wrote | #2 |
| Changed in kunpeng920: | |
| status: | New → Fix Committed |
| tags: | removed: ikeradar |
| Changed in kunpeng920: | |
| status: | Fix Committed → Fix Released |
Unable to cherry-pick for bionic kernel.