Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 9e9a27a7 authored by Subash Abhinov Kasiviswanathan's avatar Subash Abhinov Kasiviswanathan
Browse files

drivers: rmnet_shs: Fix skb use-after-free 



Previously we did not break out of checking for a matching
node after finding a match. This could cause a use-after-free
if network stack was quick to process the packet on a different
core.

This results in the following backtrace-

<6> Unable to handle kernel paging request at virtual address ffffffe619d437e4
<6> Mem abort info:
<6>   Exception class = DABT (current EL), IL = 32 bits
<6>   SET = 0, FnV = 0
<6>   EA = 0, S1PTW = 0
<6>   FSC = 7
<6> Data abort info:
<6>   ISV = 0, ISS = 0x00000007
<6>   CM = 0, WnR = 0
<6> Internal error: Oops: 96000007 [#1] PREEMPT SMP
<6> Modules linked in: rmnet_perf(O) rmnet_shs(O)
<6> CPU: 1 PID: 18 Comm: cpuhp/1 Tainted: G S      W  O    4.14.83+ #1
<6> task: ffffffe734708080 task.stack: ffffff8008220000
<2> pc : rmnet_shs_assign+0x1fc/0xbc0 [rmnet_shs]
<2> lr : rmnet_shs_assign+0x2b8/0xbc0 [rmnet_shs]
<6> Process cpuhp/1 (pid: 18, stack limit = 0xffffff8008220000)
<2> Call trace:
<2>  rmnet_shs_assign+0x1fc/0xbc0 [rmnet_shs]
<2>  rmnet_deliver_skb+0x12c/0x1a4
<2>  rmnet_perf_core_send_skb+0x200/0x238 [rmnet_perf]
<2>  rmnet_perf_core_flush_curr_pkt+0xe0/0xf8 [rmnet_perf]
<2>  rmnet_perf_tcp_opt_ingress+0x11c/0x2f4 [rmnet_perf]
<2>  rmnet_perf_opt_ingress+0x340/0x3b4 [rmnet_perf]
<2>  rmnet_perf_core_handle_packet_ingress+0x1c4/0x1fc [rmnet_perf]
<2>  rmnet_perf_core_deaggregate+0x330/0x510 [rmnet_perf]
<2>  rmnet_rx_handler+0x198/0x1fc
<2>  __netif_receive_skb_core+0x5b0/0xa04
<2>  __netif_receive_skb+0x3c/0x7c
<2>  process_backlog+0xa0/0x15c
<2>  net_rx_action+0x138/0x3d8
<2>  __do_softirq+0x220/0x408
<2>  irq_exit+0xac/0xb8
<2>  handle_IPI+0x1a0/0x2d0
<2>  gic_handle_irq+0x124/0x1c0
<2>  el1_irq+0xb4/0x12c
<2>  _raw_spin_unlock_irqrestore+0x2c/0x68
<2>  debug_check_no_obj_freed+0x170/0x1fc
<2>  kfree+0x140/0x62c
<2>  kvfree+0x3c/0x50
<2>  drain_slots_cache_cpu+0x70/0xdc
<2>  free_slot_cache+0x30/0x48
<2>  cpuhp_invoke_callback+0x304/0x7b0
<2>  cpuhp_thread_fun+0x164/0x1cc
<2>  smpboot_thread_fn+0x1b4/0x2ac
<2>  kthread+0x120/0x130
<2>  ret_from_fork+0x10/0x18

This was fixed by using a local variable to reference skb->hash
instead of dereferencing the skb and by breaking after the first
match was found.

CRs-Fixed: 2503080
Change-Id: I054f52d8504a40159e883b1938158bde5c4ec282
Acked-by: default avatarRaul Martinez <mraul@qti.qualcomm.com>
Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
parent c7cd0928
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment