Re: [PATCH v3] net: fix skb use after free in netpoll
From: David Miller
Date: Tue Aug 27 2019 - 23:52:58 EST
From: Feng Sun <loyou85@xxxxxxxxx>
Date: Mon, 26 Aug 2019 14:46:04 +0800
> After commit baeababb5b85d5c4e6c917efe2a1504179438d3b
> ("tun: return NET_XMIT_DROP for dropped packets"),
> when tun_net_xmit drop packets, it will free skb and return NET_XMIT_DROP,
> netpoll_send_skb_on_dev will run into following use after free cases:
> 1. retry netpoll_start_xmit with freed skb;
> 2. queue freed skb in npinfo->txq.
> queue_process will also run into use after free case.
>
> hit netpoll_send_skb_on_dev first case with following kernel log:
...
> Signed-off-by: Feng Sun <loyou85@xxxxxxxxx>
> Signed-off-by: Xiaojun Zhao <xiaojunzhao141@xxxxxxxxx>
Applied and queued up for -stable.