On Sat, Sep 5, 2020 at 12:28 AM Yang Yingliang <yangyingli...@huawei.com> wrote: > > Hi, > > I got some crashes when using connector module in linux-4.19:
Can you test a reasonably recent kernel? > The invalid address[0x000000030000004c] is the value of nlmsghdr from cn > netlink, nlmsg_type is 3 and nlmsg_len is 0x4c. > > It seems the skb->data pointer is freed wrongly: > > Process A Process B > > calls cn_netlink_send_mult() > skb = nlmsg_new(size, gfp_mask); > unknown process calls > kfree(skb->data) > //put skb->data > pointer back to freelist of struct kmem_cache_cpu or struct page > > nlh = nlmsg_put(skb, 0, msg->seq, NLMSG_DONE, size, 0); > //set (*skb->data) to 0x000000030000004c, > //so the freelist is broken here. This does not make sense. The newly allocated skb is only visible to process A at this point, it is impossible to be freed by another process. I guess there might be some buffer overrun on heap, you probably need to turn on other memory debugging options like SLUB debug: https://www.kernel.org/doc/Documentation/vm/slub.txt. Thanks.
