diff options
| author | Jesper Dangaard Brouer <brouer@redhat.com> | 2023-02-03 15:59:29 +0300 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2023-02-06 12:56:38 +0300 |
| commit | 9dde0cd3b10f63bc4100ebadc7e32275baabfa68 (patch) | |
| tree | 08f48b41359f74ea3e8b1af884de2cc21d5aa9c4 /net/core | |
| parent | 149e8fb06cd925c38cfeb14458480be0cbe3a099 (diff) | |
| download | linux-9dde0cd3b10f63bc4100ebadc7e32275baabfa68.tar.xz | |
net: introduce skb_poison_list and use in kfree_skb_list
First user of skb_poison_list is in kfree_skb_list_reason, to catch bugs
earlier like introduced in commit eedade12f4cb ("net: kfree_skb_list use
kmem_cache_free_bulk"). For completeness mentioned bug have been fixed in
commit f72ff8b81ebc ("net: fix kfree_skb_list use of skb_mark_not_on_list").
In case of a bug like mentioned commit we would have seen OOPS with:
general protection fault, probably for non-canonical address 0xdead000000000870
And content of one the registers e.g. R13: dead000000000800
In this case skb->len is at offset 112 bytes (0x70) why fault happens at
0x800+0x70 = 0x870
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core')
| -rw-r--r-- | net/core/skbuff.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 44a19805c355..624e9e4ec116 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -1000,8 +1000,10 @@ kfree_skb_list_reason(struct sk_buff *segs, enum skb_drop_reason reason) while (segs) { struct sk_buff *next = segs->next; - if (__kfree_skb_reason(segs, reason)) + if (__kfree_skb_reason(segs, reason)) { + skb_poison_list(segs); kfree_skb_add_bulk(segs, &sa, reason); + } segs = next; } |