Re: kasan r8169 use-after-free trace.

Corinna Vinschen Wed, 11 Nov 2015 08:01:33 -0800

On Nov 11 05:16, Eric Dumazet wrote:
> On Wed, 2015-11-11 at 10:19 +0100, Francois Romieu wrote:
> > Dave Jones <da...@codemonkey.org.uk> :
> > > This happens during boot, (and then there's a flood of traces that happen 
> > > so fast
> > > afterwards it completely overwhelms serial console; not sure if they're 
> > > the
> > > same/related or not).
> > > 
> > > ==================================================================
> > > BUG: KASAN: use-after-free in rtl8169_poll+0x4b6/0xb70 at addr 
> > > ffff8801d43b3288
> > > Read of size 1 by task kworker/0:3/188
> > > =============================================================================
> > > BUG kmalloc-256 (Not tainted): kasan: bad access detected
> > > -----------------------------------------------------------------------------
> > > 
> > > Disabling lock debugging due to kernel taint
> > > INFO: Slab 0xffffea000750ecc0 objects=16 used=16 fp=0x          (null) 
> > > flags=0x8000000000000080
> > > INFO: Object 0xffff8801d43b3200 @offset=512 fp=0xffff8801d43b3800
> > > 
> > > Bytes b4 ffff8801d43b31f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
> > > 00  ................
> > > Object ffff8801d43b3200: 00 38 3b d4 01 88 ff ff 00 00 00 00 00 00 00 00  
> > > .8;.............
> > 
> > Does the patch below cure it ?
> > 
> > diff --git a/drivers/net/ethernet/realtek/r8169.c 
> > b/drivers/net/ethernet/realtek/r8169.c
> > index b4f2123..79ef799 100644
> > --- a/drivers/net/ethernet/realtek/r8169.c
> > +++ b/drivers/net/ethernet/realtek/r8169.c
> > @@ -7429,15 +7429,15 @@ process_pkt:
> >  
> >                     rtl8169_rx_vlan_tag(desc, skb);
> >  
> > +                   if (skb->pkt_type == PACKET_MULTICAST)
> > +                           dev->stats.multicast++;
> > +
> >                     napi_gro_receive(&tp->napi, skb);
> >  
> >                     u64_stats_update_begin(&tp->rx_stats.syncp);
> >                     tp->rx_stats.packets++;
> >                     tp->rx_stats.bytes += pkt_size;
> >                     u64_stats_update_end(&tp->rx_stats.syncp);
> > -
> > -                   if (skb->pkt_type == PACKET_MULTICAST)
> > -                           dev->stats.multicast++;
> >             }
> >  release_descriptor:
> >             desc->opts2 = 0;
> 
> This looks obvious indeed, please submit this formally Francois ;)


Yes, please.  Thank you Francois.


> Fixes: d7d2d89d4b0af ("r8169: Add software counter for multicast packages")
> Acked-by: Eric Dumazet <eduma...@google.com>

Acked-by: Corinna Vinschen <vinsc...@redhat.com>


Corinna

pgpOTQv1S7P6H.pgp
Description: PGP signature

Re: kasan r8169 use-after-free trace.

Reply via email to