From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 2BB73A04AE;
	Tue,  8 Feb 2022 13:41:29 +0100 (CET)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id B59D7410FD;
	Tue,  8 Feb 2022 13:41:28 +0100 (CET)
Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com
 [209.85.208.172])
 by mails.dpdk.org (Postfix) with ESMTP id B8164410FC
 for <dev@dpdk.org>; Tue,  8 Feb 2022 13:41:27 +0100 (CET)
Received: by mail-lj1-f172.google.com with SMTP id bx31so24324756ljb.0
 for <dev@dpdk.org>; Tue, 08 Feb 2022 04:41:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nfware.com; s=google;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=e3pBm0v34lZ9W+ac+HbPjmHvfPWzU3Jm7/LF4pT5HgY=;
 b=J4SdH7IpKWTXv33KtNzR+QiSa7FjwLaJmGsn0K+RWqWx8G2PIDGkRbn62TJuydl7+z
 dMUoc7IxRrdeippDSdSKrd/B6Qt2cymxrZ1mmyY+FhkgTQrz7LFBwhiUkTamDZlN333V
 6LfXMFdC9zKBtwgxQGIqrVsA7T2A+tM8pIxYwLMGWeUZYR5ZV6nsoa9mznTFXCiWkNPh
 H1mWr9K3Sg6SDrUt6s3QnlU82gulwNX48b5MalS0Dkac/gGrMckh9oOOI0HpG5hrpHbq
 Ivhs9FfTMhAorRLzHLc8JZqQmB9U4tZdKvlFpQZIIZc6xlUKuKNts/CAt3NU63XBQ9aZ
 SXQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=e3pBm0v34lZ9W+ac+HbPjmHvfPWzU3Jm7/LF4pT5HgY=;
 b=mDjeRLWhzMSeq3rXauDrJK3C7zXCNx/r9UmiOofPgBofIo3S8B27ItvtJUyBtVJlIM
 bqFd3zS/B7VixSv88TASh6K3AXuVrnBqTNT9VF+4f40p11HtHqwM+Oem7ixmVkTgvl7Q
 6vGynllly1azqzn+pTOuWXE0b2NfDqzMRoAtHkt3uvRtkTF8L0RVwSt+JE8Kw6/jC3/m
 ejARjLE5nIqbiGJvPub+iXNiOvF9GxQbHRIRSOHs+1C1vNncVZzHETVZejvImvn9lkk5
 HiUb+6LprzhdxnxaE68b23AH505EAIlAY2uiW0jkfdKaOPSiuajMfThMwli44xlL9xBP
 bByw==
X-Gm-Message-State: AOAM531JLu4lrluZpY9TAy/c5zVhUJFHHcJOTFaSejGWnuo7mFVoQ00r
 kjlfD3KtLEG6MqeAcT21zc0LxkNLQmScUNfhSszHUw==
X-Google-Smtp-Source: ABdhPJzc4o8ejzJNyQWmDjGxBk9i26rP3wBmdj6ci0eKOHbU+3IqMwotDq5vPzM5zyc0UdvoH9flUmyZdvYVDLspuCY=
X-Received: by 2002:a05:651c:1a07:: with SMTP id
 by7mr2914413ljb.66.1644324087063; 
 Tue, 08 Feb 2022 04:41:27 -0800 (PST)
MIME-Version: 1.0
References: <20220128024336.26961-1-humin29@huawei.com>
In-Reply-To: <20220128024336.26961-1-humin29@huawei.com>
From: Igor Ryzhov <iryzhov@nfware.com>
Date: Tue, 8 Feb 2022 15:41:16 +0300
Message-ID: <CAF+s_FxNYnoxUvgNdWBf-Pxn3V0efTG2CBkp89JVB8-esiyBxA@mail.gmail.com>
Subject: Re: [PATCH] kni: fix use-after-free when kni release
To: "Min Hu (Connor)" <humin29@huawei.com>
Cc: dev@dpdk.org, ferruh.yigit@intel.com, thomas@monjalon.net
Content-Type: multipart/alternative; boundary="0000000000001afbaa05d7810947"
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

--0000000000001afbaa05d7810947
Content-Type: text/plain; charset="UTF-8"

Looks correct.
Could you, please, also change the order of `list_del` and `kni_dev_remove`
in `kni_release`? It suffers from the same problem.

Igor

On Fri, Jan 28, 2022 at 5:43 AM Min Hu (Connor) <humin29@huawei.com> wrote:

> From: Huisong Li <lihuisong@huawei.com>
>
> The "kni_dev" is the private data of the "net_device" in kni, and allocated
> with the "net_device" by calling "alloc_netdev()". The "net_device" is
> freed by calling "free_netdev()" when kni release. The freed memory
> includes the "kni_dev". So After "kni_dev" should not be accessed after
> "net_device" is released.
>
> Fixes: e77fec694936 ("kni: fix possible mbuf leaks and speed up port
> release")
> Cc: stable@dpdk.org
>
> KASAN trace:
>
> [   85.263717] ==========================================================
> [   85.264418] BUG: KASAN: use-after-free in kni_net_release_fifo_phy+
>                 0x30/0x84 [rte_kni]
> [   85.265139] Read of size 8 at addr ffff000260668d60 by task kni/341
> [   85.265703]
> [   85.265857] CPU: 0 PID: 341 Comm: kni Tainted: G     U     O
>                 5.15.0-rc4+ #1
> [   85.266525] Hardware name: linux,dummy-virt (DT)
> [   85.266968] Call trace:
> [   85.267220]  dump_backtrace+0x0/0x2d0
> [   85.267591]  show_stack+0x24/0x30
> [   85.267924]  dump_stack_lvl+0x8c/0xb8
> [   85.268294]  print_address_description.constprop.0+0x74/0x2b8
> [   85.268855]  kasan_report+0x1e4/0x200
> [   85.269224]  __asan_load8+0x98/0xd4
> [   85.269577]  kni_net_release_fifo_phy+0x30/0x84 [rte_kni]
> [   85.270116]  kni_dev_remove.isra.0+0x50/0x64 [rte_kni]
> [   85.270630]  kni_ioctl_release+0x254/0x320 [rte_kni]
> [   85.271136]  kni_ioctl+0x64/0xb0 [rte_kni]
> [   85.271553]  __arm64_sys_ioctl+0xdc/0x120
> [   85.271955]  invoke_syscall+0x68/0x1a0
> [   85.272332]  el0_svc_common.constprop.0+0x90/0x200
> [   85.272807]  do_el0_svc+0x94/0xa4
> [   85.273144]  el0_svc+0x78/0x240
> [   85.273463]  el0t_64_sync_handler+0x1a8/0x1b0
> [   85.273895]  el0t_64_sync+0x1a0/0x1a4
> [   85.274264]
> [   85.274427] Allocated by task 341:
> [   85.274767]  kasan_save_stack+0x2c/0x60
> [   85.275157]  __kasan_kmalloc+0x90/0xb4
> [   85.275533]  __kmalloc_node+0x230/0x594
> [   85.275917]  kvmalloc_node+0x8c/0x190
> [   85.276286]  alloc_netdev_mqs+0x70/0x6b0
> [   85.276678]  kni_ioctl_create+0x224/0xf40 [rte_kni]
> [   85.277166]  kni_ioctl+0x9c/0xb0 [rte_kni]
> [   85.277581]  __arm64_sys_ioctl+0xdc/0x120
> [   85.277980]  invoke_syscall+0x68/0x1a0
> [   85.278357]  el0_svc_common.constprop.0+0x90/0x200
> [   85.278830]  do_el0_svc+0x94/0xa4
> [   85.279172]  el0_svc+0x78/0x240
> [   85.279491]  el0t_64_sync_handler+0x1a8/0x1b0
> [   85.279925]  el0t_64_sync+0x1a0/0x1a4
> [   85.280292]
> [   85.280454] Freed by task 341:
> [   85.280763]  kasan_save_stack+0x2c/0x60
> [   85.281147]  kasan_set_track+0x2c/0x40
> [   85.281522]  kasan_set_free_info+0x2c/0x50
> [   85.281930]  __kasan_slab_free+0xdc/0x140
> [   85.282331]  slab_free_freelist_hook+0x90/0x250
> [   85.282782]  kfree+0x128/0x580
> [   85.283099]  kvfree+0x48/0x60
> [   85.283402]  netdev_freemem+0x34/0x44
> [   85.283770]  netdev_release+0x50/0x64
> [   85.284138]  device_release+0xa0/0x120
> [   85.284516]  kobject_put+0xf8/0x160
> [   85.284867]  put_device+0x20/0x30
> [   85.285204]  free_netdev+0x22c/0x310
> [   85.285562]  kni_dev_remove.isra.0+0x48/0x64 [rte_kni]
> [   85.286076]  kni_ioctl_release+0x254/0x320 [rte_kni]
> [   85.286573]  kni_ioctl+0x64/0xb0 [rte_kni]
> [   85.286992]  __arm64_sys_ioctl+0xdc/0x120
> [   85.287392]  invoke_syscall+0x68/0x1a0
> [   85.287769]  el0_svc_common.constprop.0+0x90/0x200
> [   85.288243]  do_el0_svc+0x94/0xa4
> [   85.288579]  el0_svc+0x78/0x240
> [   85.288899]  el0t_64_sync_handler+0x1a8/0x1b0
> [   85.289332]  el0t_64_sync+0x1a0/0x1a4
> [   85.289699]
> [   85.289862] The buggy address belongs to the object at ffff000260668000
> [   85.289862]  which belongs to the cache kmalloc-cg-8k of size 8192
> [   85.291079] The buggy address is located 3424 bytes inside of
> [   85.291079]  8192-byte region [ffff000260668000, ffff00026066a000)
> [   85.292213] The buggy address belongs to the page:
> [   85.292684] page:(____ptrval____) refcount:1 mapcount:0 mapping:
>                 0000000000000000 index:0x0 pfn:0x2a0668
> [   85.293585] head:(____ptrval____) order:3 compound_mapcount:0
>                 compound_pincount:0
> [   85.294305] flags: 0xbfff80000010200(slab|head|node=0|zone=2|
>                 lastcpupid=0x7fff)
> [   85.295020] raw: 0bfff80000010200 0000000000000000 dead000000000122
>                 ffff0000c000d680
> [   85.295767] raw: 0000000000000000 0000000080020002 00000001ffffffff
>                 0000000000000000
> [   85.296512] page dumped because: kasan: bad access detected
> [   85.297054]
> [   85.297217] Memory state around the buggy address:
> [   85.297688]  ffff000260668c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                 fb fb
> [   85.298384]  ffff000260668c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                 fb fb
> [   85.299088] >ffff000260668d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                 fb fb
> [   85.299781]                                                        ^
> [   85.300396]  ffff000260668d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                 fb fb
> [   85.301092]  ffff000260668e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                 fb fb
> [   85.301787] ===========================================================
>
> Signed-off-by: Huisong Li <lihuisong@huawei.com>
> Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
> ---
>  kernel/linux/kni/kni_misc.c | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/linux/kni/kni_misc.c b/kernel/linux/kni/kni_misc.c
> index f10dcd069d..b3684c4fa6 100644
> --- a/kernel/linux/kni/kni_misc.c
> +++ b/kernel/linux/kni/kni_misc.c
> @@ -184,13 +184,17 @@ kni_dev_remove(struct kni_dev *dev)
>         if (!dev)
>                 return -ENODEV;
>
> +       /*
> +        * The memory of kni device is allocated and released together
> +        * with net device. Release mbuf before freeing net device.
> +        */
> +       kni_net_release_fifo_phy(dev);
> +
>         if (dev->net_dev) {
>                 unregister_netdev(dev->net_dev);
>                 free_netdev(dev->net_dev);
>         }
>
> -       kni_net_release_fifo_phy(dev);
> -
>         return 0;
>  }
>
> @@ -470,8 +474,8 @@ kni_ioctl_release(struct net *net, uint32_t ioctl_num,
>                         dev->pthread = NULL;
>                 }
>
> -               kni_dev_remove(dev);
>                 list_del(&dev->list);
> +               kni_dev_remove(dev);
>                 ret = 0;
>                 break;
>         }
> --
> 2.33.0
>
>

--0000000000001afbaa05d7810947
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Looks correct.<div>Could you, please, also change the orde=
r of `list_del` and `kni_dev_remove` in `kni_release`? It suffers from the =
same problem.</div><div><br></div><div>Igor</div></div><br><div class=3D"gm=
ail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Jan 28, 2022 at 5:=
43 AM Min Hu (Connor) &lt;<a href=3D"mailto:humin29@huawei.com">humin29@hua=
wei.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"=
margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;bord=
er-left-color:rgb(204,204,204);padding-left:1ex">From: Huisong Li &lt;<a hr=
ef=3D"mailto:lihuisong@huawei.com" target=3D"_blank">lihuisong@huawei.com</=
a>&gt;<br>
<br>
The &quot;kni_dev&quot; is the private data of the &quot;net_device&quot; i=
n kni, and allocated<br>
with the &quot;net_device&quot; by calling &quot;alloc_netdev()&quot;. The =
&quot;net_device&quot; is<br>
freed by calling &quot;free_netdev()&quot; when kni release. The freed memo=
ry<br>
includes the &quot;kni_dev&quot;. So After &quot;kni_dev&quot; should not b=
e accessed after<br>
&quot;net_device&quot; is released.<br>
<br>
Fixes: e77fec694936 (&quot;kni: fix possible mbuf leaks and speed up port r=
elease&quot;)<br>
Cc: <a href=3D"mailto:stable@dpdk.org" target=3D"_blank">stable@dpdk.org</a=
><br>
<br>
KASAN trace:<br>
<br>
[=C2=A0 =C2=A085.263717] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
[=C2=A0 =C2=A085.264418] BUG: KASAN: use-after-free in kni_net_release_fifo=
_phy+<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0x30/0x84 [rte_kni]=
<br>
[=C2=A0 =C2=A085.265139] Read of size 8 at addr ffff000260668d60 by task kn=
i/341<br>
[=C2=A0 =C2=A085.265703]<br>
[=C2=A0 =C2=A085.265857] CPU: 0 PID: 341 Comm: kni Tainted: G=C2=A0 =C2=A0 =
=C2=A0U=C2=A0 =C2=A0 =C2=A0O=C2=A0 =C2=A0 =C2=A0 <br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 5.15.0-rc4+ #1<br>
[=C2=A0 =C2=A085.266525] Hardware name: linux,dummy-virt (DT)<br>
[=C2=A0 =C2=A085.266968] Call trace:<br>
[=C2=A0 =C2=A085.267220]=C2=A0 dump_backtrace+0x0/0x2d0<br>
[=C2=A0 =C2=A085.267591]=C2=A0 show_stack+0x24/0x30<br>
[=C2=A0 =C2=A085.267924]=C2=A0 dump_stack_lvl+0x8c/0xb8<br>
[=C2=A0 =C2=A085.268294]=C2=A0 print_address_description.constprop.0+0x74/0=
x2b8<br>
[=C2=A0 =C2=A085.268855]=C2=A0 kasan_report+0x1e4/0x200<br>
[=C2=A0 =C2=A085.269224]=C2=A0 __asan_load8+0x98/0xd4<br>
[=C2=A0 =C2=A085.269577]=C2=A0 kni_net_release_fifo_phy+0x30/0x84 [rte_kni]=
<br>
[=C2=A0 =C2=A085.270116]=C2=A0 kni_dev_remove.isra.0+0x50/0x64 [rte_kni]<br=
>
[=C2=A0 =C2=A085.270630]=C2=A0 kni_ioctl_release+0x254/0x320 [rte_kni]<br>
[=C2=A0 =C2=A085.271136]=C2=A0 kni_ioctl+0x64/0xb0 [rte_kni]<br>
[=C2=A0 =C2=A085.271553]=C2=A0 __arm64_sys_ioctl+0xdc/0x120<br>
[=C2=A0 =C2=A085.271955]=C2=A0 invoke_syscall+0x68/0x1a0<br>
[=C2=A0 =C2=A085.272332]=C2=A0 el0_svc_common.constprop.0+0x90/0x200<br>
[=C2=A0 =C2=A085.272807]=C2=A0 do_el0_svc+0x94/0xa4<br>
[=C2=A0 =C2=A085.273144]=C2=A0 el0_svc+0x78/0x240<br>
[=C2=A0 =C2=A085.273463]=C2=A0 el0t_64_sync_handler+0x1a8/0x1b0<br>
[=C2=A0 =C2=A085.273895]=C2=A0 el0t_64_sync+0x1a0/0x1a4<br>
[=C2=A0 =C2=A085.274264]<br>
[=C2=A0 =C2=A085.274427] Allocated by task 341:<br>
[=C2=A0 =C2=A085.274767]=C2=A0 kasan_save_stack+0x2c/0x60<br>
[=C2=A0 =C2=A085.275157]=C2=A0 __kasan_kmalloc+0x90/0xb4<br>
[=C2=A0 =C2=A085.275533]=C2=A0 __kmalloc_node+0x230/0x594<br>
[=C2=A0 =C2=A085.275917]=C2=A0 kvmalloc_node+0x8c/0x190<br>
[=C2=A0 =C2=A085.276286]=C2=A0 alloc_netdev_mqs+0x70/0x6b0<br>
[=C2=A0 =C2=A085.276678]=C2=A0 kni_ioctl_create+0x224/0xf40 [rte_kni]<br>
[=C2=A0 =C2=A085.277166]=C2=A0 kni_ioctl+0x9c/0xb0 [rte_kni]<br>
[=C2=A0 =C2=A085.277581]=C2=A0 __arm64_sys_ioctl+0xdc/0x120<br>
[=C2=A0 =C2=A085.277980]=C2=A0 invoke_syscall+0x68/0x1a0<br>
[=C2=A0 =C2=A085.278357]=C2=A0 el0_svc_common.constprop.0+0x90/0x200<br>
[=C2=A0 =C2=A085.278830]=C2=A0 do_el0_svc+0x94/0xa4<br>
[=C2=A0 =C2=A085.279172]=C2=A0 el0_svc+0x78/0x240<br>
[=C2=A0 =C2=A085.279491]=C2=A0 el0t_64_sync_handler+0x1a8/0x1b0<br>
[=C2=A0 =C2=A085.279925]=C2=A0 el0t_64_sync+0x1a0/0x1a4<br>
[=C2=A0 =C2=A085.280292]<br>
[=C2=A0 =C2=A085.280454] Freed by task 341:<br>
[=C2=A0 =C2=A085.280763]=C2=A0 kasan_save_stack+0x2c/0x60<br>
[=C2=A0 =C2=A085.281147]=C2=A0 kasan_set_track+0x2c/0x40<br>
[=C2=A0 =C2=A085.281522]=C2=A0 kasan_set_free_info+0x2c/0x50<br>
[=C2=A0 =C2=A085.281930]=C2=A0 __kasan_slab_free+0xdc/0x140<br>
[=C2=A0 =C2=A085.282331]=C2=A0 slab_free_freelist_hook+0x90/0x250<br>
[=C2=A0 =C2=A085.282782]=C2=A0 kfree+0x128/0x580<br>
[=C2=A0 =C2=A085.283099]=C2=A0 kvfree+0x48/0x60<br>
[=C2=A0 =C2=A085.283402]=C2=A0 netdev_freemem+0x34/0x44<br>
[=C2=A0 =C2=A085.283770]=C2=A0 netdev_release+0x50/0x64<br>
[=C2=A0 =C2=A085.284138]=C2=A0 device_release+0xa0/0x120<br>
[=C2=A0 =C2=A085.284516]=C2=A0 kobject_put+0xf8/0x160<br>
[=C2=A0 =C2=A085.284867]=C2=A0 put_device+0x20/0x30<br>
[=C2=A0 =C2=A085.285204]=C2=A0 free_netdev+0x22c/0x310<br>
[=C2=A0 =C2=A085.285562]=C2=A0 kni_dev_remove.isra.0+0x48/0x64 [rte_kni]<br=
>
[=C2=A0 =C2=A085.286076]=C2=A0 kni_ioctl_release+0x254/0x320 [rte_kni]<br>
[=C2=A0 =C2=A085.286573]=C2=A0 kni_ioctl+0x64/0xb0 [rte_kni]<br>
[=C2=A0 =C2=A085.286992]=C2=A0 __arm64_sys_ioctl+0xdc/0x120<br>
[=C2=A0 =C2=A085.287392]=C2=A0 invoke_syscall+0x68/0x1a0<br>
[=C2=A0 =C2=A085.287769]=C2=A0 el0_svc_common.constprop.0+0x90/0x200<br>
[=C2=A0 =C2=A085.288243]=C2=A0 do_el0_svc+0x94/0xa4<br>
[=C2=A0 =C2=A085.288579]=C2=A0 el0_svc+0x78/0x240<br>
[=C2=A0 =C2=A085.288899]=C2=A0 el0t_64_sync_handler+0x1a8/0x1b0<br>
[=C2=A0 =C2=A085.289332]=C2=A0 el0t_64_sync+0x1a0/0x1a4<br>
[=C2=A0 =C2=A085.289699]<br>
[=C2=A0 =C2=A085.289862] The buggy address belongs to the object at ffff000=
260668000<br>
[=C2=A0 =C2=A085.289862]=C2=A0 which belongs to the cache kmalloc-cg-8k of =
size 8192<br>
[=C2=A0 =C2=A085.291079] The buggy address is located 3424 bytes inside of<=
br>
[=C2=A0 =C2=A085.291079]=C2=A0 8192-byte region [ffff000260668000, ffff0002=
6066a000)<br>
[=C2=A0 =C2=A085.292213] The buggy address belongs to the page:<br>
[=C2=A0 =C2=A085.292684] page:(____ptrval____) refcount:1 mapcount:0 mappin=
g:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0000000000000000 in=
dex:0x0 pfn:0x2a0668<br>
[=C2=A0 =C2=A085.293585] head:(____ptrval____) order:3 compound_mapcount:0<=
br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 compound_pincount:0=
<br>
[=C2=A0 =C2=A085.294305] flags: 0xbfff80000010200(slab|head|node=3D0|zone=
=3D2|<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 lastcpupid=3D0x7fff=
)<br>
[=C2=A0 =C2=A085.295020] raw: 0bfff80000010200 0000000000000000 dead0000000=
00122<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ffff0000c000d680<br=
>
[=C2=A0 =C2=A085.295767] raw: 0000000000000000 0000000080020002 00000001fff=
fffff<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0000000000000000<br=
>
[=C2=A0 =C2=A085.296512] page dumped because: kasan: bad access detected<br=
>
[=C2=A0 =C2=A085.297054]<br>
[=C2=A0 =C2=A085.297217] Memory state around the buggy address:<br>
[=C2=A0 =C2=A085.297688]=C2=A0 ffff000260668c00: fb fb fb fb fb fb fb fb fb=
 fb fb fb fb fb<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 fb fb<br>
[=C2=A0 =C2=A085.298384]=C2=A0 ffff000260668c80: fb fb fb fb fb fb fb fb fb=
 fb fb fb fb fb<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 fb fb<br>
[=C2=A0 =C2=A085.299088] &gt;ffff000260668d00: fb fb fb fb fb fb fb fb fb f=
b fb fb fb fb<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 fb fb<br>
[=C2=A0 =C2=A085.299781]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ^=
<br>
[=C2=A0 =C2=A085.300396]=C2=A0 ffff000260668d80: fb fb fb fb fb fb fb fb fb=
 fb fb fb fb fb<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 fb fb<br>
[=C2=A0 =C2=A085.301092]=C2=A0 ffff000260668e00: fb fb fb fb fb fb fb fb fb=
 fb fb fb fb fb<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 fb fb<br>
[=C2=A0 =C2=A085.301787] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
<br>
Signed-off-by: Huisong Li &lt;<a href=3D"mailto:lihuisong@huawei.com" targe=
t=3D"_blank">lihuisong@huawei.com</a>&gt;<br>
Signed-off-by: Min Hu (Connor) &lt;<a href=3D"mailto:humin29@huawei.com" ta=
rget=3D"_blank">humin29@huawei.com</a>&gt;<br>
---<br>
=C2=A0kernel/linux/kni/kni_misc.c | 10 +++++++---<br>
=C2=A01 file changed, 7 insertions(+), 3 deletions(-)<br>
<br>
diff --git a/kernel/linux/kni/kni_misc.c b/kernel/linux/kni/kni_misc.c<br>
index f10dcd069d..b3684c4fa6 100644<br>
--- a/kernel/linux/kni/kni_misc.c<br>
+++ b/kernel/linux/kni/kni_misc.c<br>
@@ -184,13 +184,17 @@ kni_dev_remove(struct kni_dev *dev)<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 if (!dev)<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return -ENODEV;<br>
<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0/*<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 * The memory of kni device is allocated and re=
leased together<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 * with net device. Release mbuf before freeing=
 net device.<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 */<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0kni_net_release_fifo_phy(dev);<br>
+<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 if (dev-&gt;net_dev) {<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 unregister_netdev(d=
ev-&gt;net_dev);<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 free_netdev(dev-&gt=
;net_dev);<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 }<br>
<br>
-=C2=A0 =C2=A0 =C2=A0 =C2=A0kni_net_release_fifo_phy(dev);<br>
-<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 return 0;<br>
=C2=A0}<br>
<br>
@@ -470,8 +474,8 @@ kni_ioctl_release(struct net *net, uint32_t ioctl_num,<=
br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 dev-&gt;pthread =3D NULL;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 }<br>
<br>
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0kni_dev_remove(dev)=
;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 list_del(&amp;dev-&=
gt;list);<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0kni_dev_remove(dev)=
;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ret =3D 0;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 break;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 }<br>
-- <br>
2.33.0<br>
<br>
</blockquote></div>

--0000000000001afbaa05d7810947--