| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Dec 2018 02:58:07 +0800
From: kbuild test robot <lkp@...el.com>
To: Jia-Ju Bai <baijiaju1990@...il.com>
Cc: kbuild-all@...org, m.grzeschik@...gutronix.de, davem@...emloft.net,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
Jia-Ju Bai <baijiaju1990@...il.com>
Subject: Re: [PATCH] net: arcnet: Fix a possible concurrency use-after-free
bug in arcnet_reply_tasklet()
Hi Jia-Ju,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on net-next/master]
[also build test ERROR on v4.20 next-20181224]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Jia-Ju-Bai/net-arcnet-Fix-a-possible-concurrency-use-after-free-bug-in-arcnet_reply_tasklet/20181227-020417
config: x86_64-randconfig-x005-201851 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
All error/warnings (new ones prefixed by >>):
In file included from include/linux/kernel.h:13:0,
from include/linux/list.h:9,
from include/linux/module.h:9,
from drivers/net/arcnet/arcnet.c:46:
drivers/net/arcnet/arcnet.c: In function 'arcnet_reply_tasklet':
>> drivers/net/arcnet/arcnet.c:429:31: error: 'flags' undeclared (first use in this function); did you mean 'class'?
spin_lock_irqsave(&lp->lock, flags);
^
include/linux/typecheck.h:11:9: note: in definition of macro 'typecheck'
typeof(x) __dummy2; \
^
>> include/linux/spinlock.h:359:2: note: in expansion of macro 'raw_spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^~~~~~~~~~~~~~~~~~~~~
>> drivers/net/arcnet/arcnet.c:429:2: note: in expansion of macro 'spin_lock_irqsave'
spin_lock_irqsave(&lp->lock, flags);
^~~~~~~~~~~~~~~~~
drivers/net/arcnet/arcnet.c:429:31: note: each undeclared identifier is reported only once for each function it appears in
spin_lock_irqsave(&lp->lock, flags);
^
include/linux/typecheck.h:11:9: note: in definition of macro 'typecheck'
typeof(x) __dummy2; \
^
>> include/linux/spinlock.h:359:2: note: in expansion of macro 'raw_spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^~~~~~~~~~~~~~~~~~~~~
>> drivers/net/arcnet/arcnet.c:429:2: note: in expansion of macro 'spin_lock_irqsave'
spin_lock_irqsave(&lp->lock, flags);
^~~~~~~~~~~~~~~~~
>> include/linux/typecheck.h:12:18: warning: comparison of distinct pointer types lacks a cast
(void)(&__dummy == &__dummy2); \
^
>> include/linux/spinlock.h:240:3: note: in expansion of macro 'typecheck'
typecheck(unsigned long, flags); \
^~~~~~~~~
>> include/linux/spinlock.h:359:2: note: in expansion of macro 'raw_spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^~~~~~~~~~~~~~~~~~~~~
>> drivers/net/arcnet/arcnet.c:429:2: note: in expansion of macro 'spin_lock_irqsave'
spin_lock_irqsave(&lp->lock, flags);
^~~~~~~~~~~~~~~~~
--
In file included from include/linux/kernel.h:13:0,
from include/linux/list.h:9,
from include/linux/module.h:9,
from drivers/net//arcnet/arcnet.c:46:
drivers/net//arcnet/arcnet.c: In function 'arcnet_reply_tasklet':
drivers/net//arcnet/arcnet.c:429:31: error: 'flags' undeclared (first use in this function); did you mean 'class'?
spin_lock_irqsave(&lp->lock, flags);
^
include/linux/typecheck.h:11:9: note: in definition of macro 'typecheck'
typeof(x) __dummy2; \
^
>> include/linux/spinlock.h:359:2: note: in expansion of macro 'raw_spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^~~~~~~~~~~~~~~~~~~~~
drivers/net//arcnet/arcnet.c:429:2: note: in expansion of macro 'spin_lock_irqsave'
spin_lock_irqsave(&lp->lock, flags);
^~~~~~~~~~~~~~~~~
drivers/net//arcnet/arcnet.c:429:31: note: each undeclared identifier is reported only once for each function it appears in
spin_lock_irqsave(&lp->lock, flags);
^
include/linux/typecheck.h:11:9: note: in definition of macro 'typecheck'
typeof(x) __dummy2; \
^
>> include/linux/spinlock.h:359:2: note: in expansion of macro 'raw_spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^~~~~~~~~~~~~~~~~~~~~
drivers/net//arcnet/arcnet.c:429:2: note: in expansion of macro 'spin_lock_irqsave'
spin_lock_irqsave(&lp->lock, flags);
^~~~~~~~~~~~~~~~~
>> include/linux/typecheck.h:12:18: warning: comparison of distinct pointer types lacks a cast
(void)(&__dummy == &__dummy2); \
^
>> include/linux/spinlock.h:240:3: note: in expansion of macro 'typecheck'
typecheck(unsigned long, flags); \
^~~~~~~~~
>> include/linux/spinlock.h:359:2: note: in expansion of macro 'raw_spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^~~~~~~~~~~~~~~~~~~~~
drivers/net//arcnet/arcnet.c:429:2: note: in expansion of macro 'spin_lock_irqsave'
spin_lock_irqsave(&lp->lock, flags);
^~~~~~~~~~~~~~~~~
vim +429 drivers/net/arcnet/arcnet.c
395
396 static void arcnet_reply_tasklet(unsigned long data)
397 {
398 struct arcnet_local *lp = (struct arcnet_local *)data;
399
400 struct sk_buff *ackskb, *skb;
401 struct sock_exterr_skb *serr;
402 struct sock *sk;
403 int ret;
404
405 local_irq_disable();
406 skb = lp->outgoing.skb;
407 if (!skb || !skb->sk) {
408 local_irq_enable();
409 return;
410 }
411
412 sock_hold(skb->sk);
413 sk = skb->sk;
414 ackskb = skb_clone_sk(skb);
415 sock_put(skb->sk);
416
417 if (!ackskb) {
418 local_irq_enable();
419 return;
420 }
421
422 serr = SKB_EXT_ERR(ackskb);
423 memset(serr, 0, sizeof(*serr));
424 serr->ee.ee_errno = ENOMSG;
425 serr->ee.ee_origin = SO_EE_ORIGIN_TXSTATUS;
426 serr->ee.ee_data = skb_shinfo(skb)->tskey;
427 serr->ee.ee_info = lp->reply_status;
428
> 429 spin_lock_irqsave(&lp->lock, flags);
430
431 /* finally erasing outgoing skb */
432 dev_kfree_skb(lp->outgoing.skb);
433 lp->outgoing.skb = NULL;
434
435 spin_unlock_irqrestore(&lp->lock, flags);
436
437 ackskb->dev = lp->dev;
438
439 ret = sock_queue_err_skb(sk, ackskb);
440 if (ret)
441 kfree_skb(ackskb);
442
443 local_irq_enable();
444 };
445
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
Download attachment ".config.gz" of type "application/gzip" (26420 bytes)
Powered by blists - more mailing lists