| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iKMbUtDhU+B5dFJDABUSJJ3rnN0PWO0TDY=mRYEbNpHZw@mail.gmail.com>
Date: Tue, 20 Apr 2021 16:00:07 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Guenter Roeck <linux@...ck-us.net>
Cc: Eric Dumazet <eric.dumazet@...il.com>,
"David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
netdev <netdev@...r.kernel.org>,
syzbot <syzkaller@...glegroups.com>,
Mat Martineau <mathew.j.martineau@...ux.intel.com>,
Xuan Zhuo <xuanzhuo@...ux.alibaba.com>,
Jason Wang <jasowang@...hat.com>,
"Michael S. Tsirkin" <mst@...hat.com>,
virtualization@...ts.linux-foundation.org
Subject: Re: [PATCH net-next] virtio-net: fix use-after-free in page_to_skb()
On Tue, Apr 20, 2021 at 3:48 PM Guenter Roeck <linux@...ck-us.net> wrote:
>
> On 4/20/21 2:43 AM, Eric Dumazet wrote:
> >
>
> Unfortunately that doesn't fix the problem for me. With this patch applied
> on top of next-20210419, I still get the same crash as before:
>
> udhcpc: sending discover^M
> Unable to handle kernel paging request at virtual address 0000000000000004^M
> udhcpc(169): Oops -1^M
> pc = [<0000000000000004>] ra = [<fffffc0000b8c5b8>] ps = 0000 Not tainted^M
> pc is at 0x4^M
> ra is at napi_gro_receive+0x68/0x150^M
> v0 = 0000000000000000 t0 = 0000000000000008 t1 = 0000000000000000^M
> t2 = 0000000000000000 t3 = 000000000000000e t4 = 0000000000000038^M
> t5 = 000000000000ffff t6 = fffffc00002f298a t7 = fffffc0002c78000^M
> s0 = fffffc00010b3ca0 s1 = 0000000000000000 s2 = fffffc00011267e0^M
> s3 = 0000000000000000 s4 = fffffc00025f2008 s5 = fffffc00002f2940^M
> s6 = fffffc00025f2040^M
> a0 = fffffc00025f2008 a1 = fffffc00002f2940 a2 = fffffc0002ca000c^M
> a3 = fffffc00000250d0 a4 = 0000000effff0008 a5 = 0000000000000000^M
> t8 = fffffc00010b3c80 t9 = fffffc0002ca04cc t10= 0000000000000000^M
> t11= 00000000000004c0 pv = fffffc0000b8bc40 at = 0000000000000000^M
> gp = fffffc00010f9fb8 sp = 00000000df74db09^M
> Disabling lock debugging due to kernel taint^M
> Trace:^M
> [<fffffc0000b8c5b8>] napi_gro_receive+0x68/0x150^M
> [<fffffc00009b409c>] receive_buf+0x50c/0x1b80^M
> [<fffffc00009b58b8>] virtnet_poll+0x1a8/0x5b0^M
> [<fffffc00009b58ec>] virtnet_poll+0x1dc/0x5b0^M
> [<fffffc0000b8d17c>] __napi_poll+0x4c/0x270^M
> [<fffffc0000b8d670>] net_rx_action+0x130/0x2c0^M
> [<fffffc0000bd6cb0>] sch_direct_xmit+0x170/0x360^M
> [<fffffc0000bd7000>] __qdisc_run+0x160/0x6c0^M
> [<fffffc0000337b64>] do_softirq+0xa4/0xd0^M
> [<fffffc0000337ca4>] __local_bh_enable_ip+0x114/0x120^M
> [<fffffc0000b89554>] __dev_queue_xmit+0x484/0xa60^M
> [<fffffc0000cd072c>] packet_sendmsg+0xe7c/0x1ba0^M
> [<fffffc0000b53338>] __sys_sendto+0xf8/0x170^M
> [<fffffc0000cfec18>] _raw_spin_unlock+0x18/0x30^M
> [<fffffc0000a9bf7c>] ehci_irq+0x2cc/0x5c0^M
> [<fffffc0000a71334>] usb_hcd_irq+0x34/0x50^M
> [<fffffc0000b521bc>] move_addr_to_kernel+0x3c/0x60^M
> [<fffffc0000b532e4>] __sys_sendto+0xa4/0x170^M
> [<fffffc0000b533d4>] sys_sendto+0x24/0x40^M
> [<fffffc0000cfea38>] _raw_spin_lock+0x18/0x30^M
> [<fffffc0000cfec18>] _raw_spin_unlock+0x18/0x30^M
> [<fffffc0000325298>] clipper_enable_irq+0x98/0x100^M
> [<fffffc0000cfec18>] _raw_spin_unlock+0x18/0x30^M
> [<fffffc0000311514>] entSys+0xa4/0xc0^M
OK, it would be nice if you could get line number from this stack trace.
(scripts/decode_stacktrace.sh is your friend)
Powered by blists - more mailing lists