From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 79143A034D; Wed, 9 Feb 2022 13:41:49 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 160B741143; Wed, 9 Feb 2022 13:41:49 +0100 (CET) Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) by mails.dpdk.org (Postfix) with ESMTP id 84B0740140 for ; Wed, 9 Feb 2022 13:41:47 +0100 (CET) Received: by mail-lf1-f52.google.com with SMTP id f18so3856863lfj.12 for ; Wed, 09 Feb 2022 04:41:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nfware.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8tzJe6lBunQcrEtneamFTkkLntM9GNFjtOZkIQg5OgA=; b=AYyO+PKeRdecBl5LHhc2UCxgv0E15yk0bfp7u/JWs5UAYF7aNPi9tOcXdBUtBE6LmV eJP31tKK1aXsPA9lB5FQoZaOkXZoVxwgx5gbKsqmO9x4qEbOo1e8OSfUMcnPbWmx1Xxz FOx2hiNnEbk8pGJOTEWD7fD22DWDUeKDafgYbX5IQRJyHKqU1jZD7jnbGrutR6W+0HOt +l6A16qKJdGu0uSeFfECC5bHSOr0eb4T+dx64YM67I71zfO91JbsAWv+eBv2CFCc460N HCFS/fQghdgxNI8IwaddTyRsFosQhNOa73kz+yd1724XK3g0B3dUy4BY2i43mt3Dh2rp j1IQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8tzJe6lBunQcrEtneamFTkkLntM9GNFjtOZkIQg5OgA=; b=GQJ8T2W9VMNveBw9quwA1YXono91Old+rieNToMggdqIAahZ2MinDC2tvYdQjIDQjn cbySAR25W8lBneCtnPGzf2eYF9zJ6r/ZM+PnDkwOyGHSyMPx1m2jb3sBQbb8n3XT7Thq lK1vXrIG4rjlZ4lbWeKhZv80MRSxk34xlQUqHjsvPg0d1VDPJpHvTSIjtNkpo+aYl01/ rLfP03UwDy2jTEaq0e+vOKv57FSAHwNwp9mrz/7IBPtrAmn3nNlMG3ZtlJx9SfNDixEV TzX8PL8hOpIXKJ0DScefNYPdwHLXQZFYU0jl/oeNobwmPYox4wperKwLzAopbwaqVO9O x8Cw== X-Gm-Message-State: AOAM532ZiHTAeJoVA4Ca7R+Xouxw8L8LyZzCWKaJFbdRMokGi9QtVCFn iQ93F9QdPbjf2rLsFrR9Bd9ZOJw0ARtVaBGzL7KE7g== X-Google-Smtp-Source: ABdhPJxb9i20zdyeqD08kP6g9bC4LDOk7JrD9dtPmkbGFDmGXjHtFqXv+xPxkMVbhDyrraweDxX6RRh5at7lIkXGVog= X-Received: by 2002:a05:6512:131b:: with SMTP id x27mr1528110lfu.96.1644410506864; Wed, 09 Feb 2022 04:41:46 -0800 (PST) MIME-Version: 1.0 References: <20220128024336.26961-1-humin29@huawei.com> <7b8176d2-6d6a-a122-7ce2-42c171ede36d@huawei.com> In-Reply-To: <7b8176d2-6d6a-a122-7ce2-42c171ede36d@huawei.com> From: Igor Ryzhov Date: Wed, 9 Feb 2022 15:41:35 +0300 Message-ID: Subject: Re: [PATCH] kni: fix use-after-free when kni release To: "Min Hu (Connor)" Cc: dev@dpdk.org, ferruh.yigit@intel.com, thomas@monjalon.net Content-Type: multipart/alternative; boundary="000000000000207d3f05d795280f" X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org --000000000000207d3f05d795280f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Acked-by: Igor Ryzhov On Wed, Feb 9, 2022 at 10:36 AM Min Hu (Connor) wrote: > Hi, Igor, > fixed in v2, please check it, thanks. > > =E5=9C=A8 2022/2/8 20:41, Igor Ryzhov =E5=86=99=E9=81=93: > > Looks correct. > > Could you, please, also change the order of `list_del` and > > `kni_dev_remove` in `kni_release`? It suffers from the same problem. > > > > Igor > > > > On Fri, Jan 28, 2022 at 5:43 AM Min Hu (Connor) > > wrote: > > > > From: Huisong Li >> > > > > The "kni_dev" is the private data of the "net_device" in kni, and > > allocated > > with the "net_device" by calling "alloc_netdev()". The "net_device" > is > > freed by calling "free_netdev()" when kni release. The freed memory > > includes the "kni_dev". So After "kni_dev" should not be accessed > after > > "net_device" is released. > > > > Fixes: e77fec694936 ("kni: fix possible mbuf leaks and speed up por= t > > release") > > Cc: stable@dpdk.org > > > > KASAN trace: > > > > [ 85.263717] > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > [ 85.264418] BUG: KASAN: use-after-free in > kni_net_release_fifo_phy+ > > 0x30/0x84 [rte_kni] > > [ 85.265139] Read of size 8 at addr ffff000260668d60 by task > kni/341 > > [ 85.265703] > > [ 85.265857] CPU: 0 PID: 341 Comm: kni Tainted: G U O > > 5.15.0-rc4+ #1 > > [ 85.266525] Hardware name: linux,dummy-virt (DT) > > [ 85.266968] Call trace: > > [ 85.267220] dump_backtrace+0x0/0x2d0 > > [ 85.267591] show_stack+0x24/0x30 > > [ 85.267924] dump_stack_lvl+0x8c/0xb8 > > [ 85.268294] print_address_description.constprop.0+0x74/0x2b8 > > [ 85.268855] kasan_report+0x1e4/0x200 > > [ 85.269224] __asan_load8+0x98/0xd4 > > [ 85.269577] kni_net_release_fifo_phy+0x30/0x84 [rte_kni] > > [ 85.270116] kni_dev_remove.isra.0+0x50/0x64 [rte_kni] > > [ 85.270630] kni_ioctl_release+0x254/0x320 [rte_kni] > > [ 85.271136] kni_ioctl+0x64/0xb0 [rte_kni] > > [ 85.271553] __arm64_sys_ioctl+0xdc/0x120 > > [ 85.271955] invoke_syscall+0x68/0x1a0 > > [ 85.272332] el0_svc_common.constprop.0+0x90/0x200 > > [ 85.272807] do_el0_svc+0x94/0xa4 > > [ 85.273144] el0_svc+0x78/0x240 > > [ 85.273463] el0t_64_sync_handler+0x1a8/0x1b0 > > [ 85.273895] el0t_64_sync+0x1a0/0x1a4 > > [ 85.274264] > > [ 85.274427] Allocated by task 341: > > [ 85.274767] kasan_save_stack+0x2c/0x60 > > [ 85.275157] __kasan_kmalloc+0x90/0xb4 > > [ 85.275533] __kmalloc_node+0x230/0x594 > > [ 85.275917] kvmalloc_node+0x8c/0x190 > > [ 85.276286] alloc_netdev_mqs+0x70/0x6b0 > > [ 85.276678] kni_ioctl_create+0x224/0xf40 [rte_kni] > > [ 85.277166] kni_ioctl+0x9c/0xb0 [rte_kni] > > [ 85.277581] __arm64_sys_ioctl+0xdc/0x120 > > [ 85.277980] invoke_syscall+0x68/0x1a0 > > [ 85.278357] el0_svc_common.constprop.0+0x90/0x200 > > [ 85.278830] do_el0_svc+0x94/0xa4 > > [ 85.279172] el0_svc+0x78/0x240 > > [ 85.279491] el0t_64_sync_handler+0x1a8/0x1b0 > > [ 85.279925] el0t_64_sync+0x1a0/0x1a4 > > [ 85.280292] > > [ 85.280454] Freed by task 341: > > [ 85.280763] kasan_save_stack+0x2c/0x60 > > [ 85.281147] kasan_set_track+0x2c/0x40 > > [ 85.281522] kasan_set_free_info+0x2c/0x50 > > [ 85.281930] __kasan_slab_free+0xdc/0x140 > > [ 85.282331] slab_free_freelist_hook+0x90/0x250 > > [ 85.282782] kfree+0x128/0x580 > > [ 85.283099] kvfree+0x48/0x60 > > [ 85.283402] netdev_freemem+0x34/0x44 > > [ 85.283770] netdev_release+0x50/0x64 > > [ 85.284138] device_release+0xa0/0x120 > > [ 85.284516] kobject_put+0xf8/0x160 > > [ 85.284867] put_device+0x20/0x30 > > [ 85.285204] free_netdev+0x22c/0x310 > > [ 85.285562] kni_dev_remove.isra.0+0x48/0x64 [rte_kni] > > [ 85.286076] kni_ioctl_release+0x254/0x320 [rte_kni] > > [ 85.286573] kni_ioctl+0x64/0xb0 [rte_kni] > > [ 85.286992] __arm64_sys_ioctl+0xdc/0x120 > > [ 85.287392] invoke_syscall+0x68/0x1a0 > > [ 85.287769] el0_svc_common.constprop.0+0x90/0x200 > > [ 85.288243] do_el0_svc+0x94/0xa4 > > [ 85.288579] el0_svc+0x78/0x240 > > [ 85.288899] el0t_64_sync_handler+0x1a8/0x1b0 > > [ 85.289332] el0t_64_sync+0x1a0/0x1a4 > > [ 85.289699] > > [ 85.289862] The buggy address belongs to the object at > > ffff000260668000 > > [ 85.289862] which belongs to the cache kmalloc-cg-8k of size 81= 92 > > [ 85.291079] The buggy address is located 3424 bytes inside of > > [ 85.291079] 8192-byte region [ffff000260668000, ffff00026066a00= 0) > > [ 85.292213] The buggy address belongs to the page: > > [ 85.292684] page:(____ptrval____) refcount:1 mapcount:0 mapping: > > 0000000000000000 index:0x0 pfn:0x2a0668 > > [ 85.293585] head:(____ptrval____) order:3 compound_mapcount:0 > > compound_pincount:0 > > [ 85.294305] flags: 0xbfff80000010200(slab|head|node=3D0|zone=3D2= | > > lastcpupid=3D0x7fff) > > [ 85.295020] raw: 0bfff80000010200 0000000000000000 > dead000000000122 > > ffff0000c000d680 > > [ 85.295767] raw: 0000000000000000 0000000080020002 > 00000001ffffffff > > 0000000000000000 > > [ 85.296512] page dumped because: kasan: bad access detected > > [ 85.297054] > > [ 85.297217] Memory state around the buggy address: > > [ 85.297688] ffff000260668c00: fb fb fb fb fb fb fb fb fb fb fb > > fb fb fb > > fb fb > > [ 85.298384] ffff000260668c80: fb fb fb fb fb fb fb fb fb fb fb > > fb fb fb > > fb fb > > [ 85.299088] >ffff000260668d00: fb fb fb fb fb fb fb fb fb fb fb > > fb fb fb > > fb fb > > [ 85.299781] > ^ > > [ 85.300396] ffff000260668d80: fb fb fb fb fb fb fb fb fb fb fb > > fb fb fb > > fb fb > > [ 85.301092] ffff000260668e00: fb fb fb fb fb fb fb fb fb fb fb > > fb fb fb > > fb fb > > [ 85.301787] > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > Signed-off-by: Huisong Li > > > > Signed-off-by: Min Hu (Connor) > > > > --- > > kernel/linux/kni/kni_misc.c | 10 +++++++--- > > 1 file changed, 7 insertions(+), 3 deletions(-) > > > > diff --git a/kernel/linux/kni/kni_misc.c > b/kernel/linux/kni/kni_misc.c > > index f10dcd069d..b3684c4fa6 100644 > > --- a/kernel/linux/kni/kni_misc.c > > +++ b/kernel/linux/kni/kni_misc.c > > @@ -184,13 +184,17 @@ kni_dev_remove(struct kni_dev *dev) > > if (!dev) > > return -ENODEV; > > > > + /* > > + * The memory of kni device is allocated and released > together > > + * with net device. Release mbuf before freeing net device. > > + */ > > + kni_net_release_fifo_phy(dev); > > + > > if (dev->net_dev) { > > unregister_netdev(dev->net_dev); > > free_netdev(dev->net_dev); > > } > > > > - kni_net_release_fifo_phy(dev); > > - > > return 0; > > } > > > > @@ -470,8 +474,8 @@ kni_ioctl_release(struct net *net, uint32_t > > ioctl_num, > > dev->pthread =3D NULL; > > } > > > > - kni_dev_remove(dev); > > list_del(&dev->list); > > + kni_dev_remove(dev); > > ret =3D 0; > > break; > > } > > -- > > 2.33.0 > > > --000000000000207d3f05d795280f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Acked-by:=C2=A0Igor Ryzhov <iryzhov@nfware.com>

<= div dir=3D"ltr" class=3D"gmail_attr">On Wed, Feb 9, 2022 at 10:36 AM Min Hu= (Connor) <humin29@huawei.com&= gt; wrote:
Hi, Igor,
fixed in v2, please check it, thanks.

=E5=9C=A8 2022/2/8 20:41, Igor Ryzhov =E5=86=99=E9=81=93:
> Looks correct.
> Could you, please, also change the order of `list_del` and
> `kni_dev_remove` in `kni_release`? It suffers from the same problem. >
> Igor
>
> On Fri, Jan 28, 2022 at 5:43 AM Min Hu (Connor) <humin29@huawei.com
> <mailto:hum= in29@huawei.com>> wrote:
>
>=C2=A0 =C2=A0 =C2=A0From: Huisong Li <lihuisong@huawei.com <mailto:lihuisong@huawei.com>= >
>
>=C2=A0 =C2=A0 =C2=A0The "kni_dev" is the private data of the = "net_device" in kni, and
>=C2=A0 =C2=A0 =C2=A0allocated
>=C2=A0 =C2=A0 =C2=A0with the "net_device" by calling "al= loc_netdev()". The "net_device" is
>=C2=A0 =C2=A0 =C2=A0freed by calling "free_netdev()" when kni= release. The freed memory
>=C2=A0 =C2=A0 =C2=A0includes the "kni_dev". So After "kn= i_dev" should not be accessed after
>=C2=A0 =C2=A0 =C2=A0"net_device" is released.
>
>=C2=A0 =C2=A0 =C2=A0Fixes: e77fec694936 ("kni: fix possible mbuf l= eaks and speed up port
>=C2=A0 =C2=A0 =C2=A0release")
>=C2=A0 =C2=A0 =C2=A0Cc: stable@dpdk.org <mailto:stable@dpdk.org>
>
>=C2=A0 =C2=A0 =C2=A0KASAN trace:
>
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.263717]
>=C2=A0 =C2=A0 =C2=A0=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.264418] BUG: KASAN: use-after-free= in kni_net_release_fifo_phy+
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 0x30/0x84 [rte_kni]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.265139] Read of size 8 at addr fff= f000260668d60 by task kni/341
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.265703]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.265857] CPU: 0 PID: 341 Comm: kni = Tainted: G=C2=A0 =C2=A0 =C2=A0U=C2=A0 =C2=A0 =C2=A0O
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 5.15.0-rc4+ #1
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.266525] Hardware name: linux,dummy= -virt (DT)
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.266968] Call trace:
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.267220]=C2=A0 dump_backtrace+0x0/0= x2d0
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.267591]=C2=A0 show_stack+0x24/0x30=
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.267924]=C2=A0 dump_stack_lvl+0x8c/= 0xb8
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.268294]=C2=A0 print_address_descri= ption.constprop.0+0x74/0x2b8
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.268855]=C2=A0 kasan_report+0x1e4/0= x200
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.269224]=C2=A0 __asan_load8+0x98/0x= d4
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.269577]=C2=A0 kni_net_release_fifo= _phy+0x30/0x84 [rte_kni]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.270116]=C2=A0 kni_dev_remove.isra.= 0+0x50/0x64 [rte_kni]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.270630]=C2=A0 kni_ioctl_release+0x= 254/0x320 [rte_kni]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.271136]=C2=A0 kni_ioctl+0x64/0xb0 = [rte_kni]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.271553]=C2=A0 __arm64_sys_ioctl+0x= dc/0x120
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.271955]=C2=A0 invoke_syscall+0x68/= 0x1a0
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.272332]=C2=A0 el0_svc_common.const= prop.0+0x90/0x200
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.272807]=C2=A0 do_el0_svc+0x94/0xa4=
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.273144]=C2=A0 el0_svc+0x78/0x240 >=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.273463]=C2=A0 el0t_64_sync_handler= +0x1a8/0x1b0
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.273895]=C2=A0 el0t_64_sync+0x1a0/0= x1a4
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.274264]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.274427] Allocated by task 341:
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.274767]=C2=A0 kasan_save_stack+0x2= c/0x60
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.275157]=C2=A0 __kasan_kmalloc+0x90= /0xb4
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.275533]=C2=A0 __kmalloc_node+0x230= /0x594
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.275917]=C2=A0 kvmalloc_node+0x8c/0= x190
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.276286]=C2=A0 alloc_netdev_mqs+0x7= 0/0x6b0
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.276678]=C2=A0 kni_ioctl_create+0x2= 24/0xf40 [rte_kni]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.277166]=C2=A0 kni_ioctl+0x9c/0xb0 = [rte_kni]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.277581]=C2=A0 __arm64_sys_ioctl+0x= dc/0x120
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.277980]=C2=A0 invoke_syscall+0x68/= 0x1a0
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.278357]=C2=A0 el0_svc_common.const= prop.0+0x90/0x200
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.278830]=C2=A0 do_el0_svc+0x94/0xa4=
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.279172]=C2=A0 el0_svc+0x78/0x240 >=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.279491]=C2=A0 el0t_64_sync_handler= +0x1a8/0x1b0
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.279925]=C2=A0 el0t_64_sync+0x1a0/0= x1a4
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.280292]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.280454] Freed by task 341:
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.280763]=C2=A0 kasan_save_stack+0x2= c/0x60
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.281147]=C2=A0 kasan_set_track+0x2c= /0x40
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.281522]=C2=A0 kasan_set_free_info+= 0x2c/0x50
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.281930]=C2=A0 __kasan_slab_free+0x= dc/0x140
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.282331]=C2=A0 slab_free_freelist_h= ook+0x90/0x250
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.282782]=C2=A0 kfree+0x128/0x580 >=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.283099]=C2=A0 kvfree+0x48/0x60
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.283402]=C2=A0 netdev_freemem+0x34/= 0x44
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.283770]=C2=A0 netdev_release+0x50/= 0x64
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.284138]=C2=A0 device_release+0xa0/= 0x120
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.284516]=C2=A0 kobject_put+0xf8/0x1= 60
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.284867]=C2=A0 put_device+0x20/0x30=
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.285204]=C2=A0 free_netdev+0x22c/0x= 310
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.285562]=C2=A0 kni_dev_remove.isra.= 0+0x48/0x64 [rte_kni]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.286076]=C2=A0 kni_ioctl_release+0x= 254/0x320 [rte_kni]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.286573]=C2=A0 kni_ioctl+0x64/0xb0 = [rte_kni]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.286992]=C2=A0 __arm64_sys_ioctl+0x= dc/0x120
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.287392]=C2=A0 invoke_syscall+0x68/= 0x1a0
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.287769]=C2=A0 el0_svc_common.const= prop.0+0x90/0x200
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.288243]=C2=A0 do_el0_svc+0x94/0xa4=
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.288579]=C2=A0 el0_svc+0x78/0x240 >=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.288899]=C2=A0 el0t_64_sync_handler= +0x1a8/0x1b0
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.289332]=C2=A0 el0t_64_sync+0x1a0/0= x1a4
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.289699]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.289862] The buggy address belongs = to the object at
>=C2=A0 =C2=A0 =C2=A0ffff000260668000
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.289862]=C2=A0 which belongs to the= cache kmalloc-cg-8k of size 8192
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.291079] The buggy address is locat= ed 3424 bytes inside of
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.291079]=C2=A0 8192-byte region [ff= ff000260668000, ffff00026066a000)
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.292213] The buggy address belongs = to the page:
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.292684] page:(____ptrval____) refc= ount:1 mapcount:0 mapping:
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 0000000000000000 index:0x0 pfn:0x2a0668
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.293585] head:(____ptrval____) orde= r:3 compound_mapcount:0
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 compound_pincount:0
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.294305] flags: 0xbfff80000010200(s= lab|head|node=3D0|zone=3D2|
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 lastcpupid=3D0x7fff)
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.295020] raw: 0bfff80000010200 0000= 000000000000 dead000000000122
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 ffff0000c000d680
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.295767] raw: 0000000000000000 0000= 000080020002 00000001ffffffff
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 0000000000000000
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.296512] page dumped because: kasan= : bad access detected
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.297054]
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.297217] Memory state around the bu= ggy address:
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.297688]=C2=A0 ffff000260668c00: fb= fb fb fb fb fb fb fb fb fb fb
>=C2=A0 =C2=A0 =C2=A0fb fb fb
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 fb fb
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.298384]=C2=A0 ffff000260668c80: fb= fb fb fb fb fb fb fb fb fb fb
>=C2=A0 =C2=A0 =C2=A0fb fb fb
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 fb fb
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.299088] >ffff000260668d00: fb f= b fb fb fb fb fb fb fb fb fb
>=C2=A0 =C2=A0 =C2=A0fb fb fb
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 fb fb
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.299781]=C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 ^
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.300396]=C2=A0 ffff000260668d80: fb= fb fb fb fb fb fb fb fb fb fb
>=C2=A0 =C2=A0 =C2=A0fb fb fb
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 fb fb
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.301092]=C2=A0 ffff000260668e00: fb= fb fb fb fb fb fb fb fb fb fb
>=C2=A0 =C2=A0 =C2=A0fb fb fb
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 fb fb
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A085.301787]
>=C2=A0 =C2=A0 =C2=A0=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
>=C2=A0 =C2=A0 =C2=A0Signed-off-by: Huisong Li <lihuisong@huawei.com
>=C2=A0 =C2=A0 =C2=A0<mailto:lihuisong@huawei.com>>
>=C2=A0 =C2=A0 =C2=A0Signed-off-by: Min Hu (Connor) <humin29@huawei.com
>=C2=A0 =C2=A0 =C2=A0<mailto:humin29@huawei.com>>
>=C2=A0 =C2=A0 =C2=A0---
>=C2=A0 =C2=A0 =C2=A0 =C2=A0kernel/linux/kni/kni_misc.c | 10 +++++++---<= br> >=C2=A0 =C2=A0 =C2=A0 =C2=A01 file changed, 7 insertions(+), 3 deletions= (-)
>
>=C2=A0 =C2=A0 =C2=A0diff --git a/kernel/linux/kni/kni_misc.c b/kernel/l= inux/kni/kni_misc.c
>=C2=A0 =C2=A0 =C2=A0index f10dcd069d..b3684c4fa6 100644
>=C2=A0 =C2=A0 =C2=A0--- a/kernel/linux/kni/kni_misc.c
>=C2=A0 =C2=A0 =C2=A0+++ b/kernel/linux/kni/kni_misc.c
>=C2=A0 =C2=A0 =C2=A0@@ -184,13 +184,17 @@ kni_dev_remove(struct kni_dev= *dev)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if (!dev)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 return -ENODEV;
>
>=C2=A0 =C2=A0 =C2=A0+=C2=A0 =C2=A0 =C2=A0 =C2=A0/*
>=C2=A0 =C2=A0 =C2=A0+=C2=A0 =C2=A0 =C2=A0 =C2=A0 * The memory of kni de= vice is allocated and released together
>=C2=A0 =C2=A0 =C2=A0+=C2=A0 =C2=A0 =C2=A0 =C2=A0 * with net device. Rel= ease mbuf before freeing net device.
>=C2=A0 =C2=A0 =C2=A0+=C2=A0 =C2=A0 =C2=A0 =C2=A0 */
>=C2=A0 =C2=A0 =C2=A0+=C2=A0 =C2=A0 =C2=A0 =C2=A0kni_net_release_fifo_ph= y(dev);
>=C2=A0 =C2=A0 =C2=A0+
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if (dev->net_dev) {=
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 unregister_netdev(dev->net_dev);
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 free_netdev(dev->net_dev);
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 }
>
>=C2=A0 =C2=A0 =C2=A0-=C2=A0 =C2=A0 =C2=A0 =C2=A0kni_net_release_fifo_ph= y(dev);
>=C2=A0 =C2=A0 =C2=A0-
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return 0;
>=C2=A0 =C2=A0 =C2=A0 =C2=A0}
>
>=C2=A0 =C2=A0 =C2=A0@@ -470,8 +474,8 @@ kni_ioctl_release(struct net *n= et, uint32_t
>=C2=A0 =C2=A0 =C2=A0ioctl_num,
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 dev->pthread =3D NULL;
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 }
>
>=C2=A0 =C2=A0 =C2=A0-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0kni_dev_remove(dev);
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 list_del(&dev->list);
>=C2=A0 =C2=A0 =C2=A0+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0kni_dev_remove(dev);
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 ret =3D 0;
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 break;
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 }
>=C2=A0 =C2=A0 =C2=A0--
>=C2=A0 =C2=A0 =C2=A02.33.0
>
--000000000000207d3f05d795280f--