linux-stable/net
Ursula Braun 1d8df41d89 net/smc: reset sndbuf_desc if freed
When an SMC connection is created, and there is a problem to
create an RMB or DMB, the previously created send buffer is
thrown away as well including buffer descriptor freeing.
Make sure the connection no longer references the freed
buffer descriptor, otherwise bugs like this are possible:

[71556.835148] =============================================================================
[71556.835168] BUG kmalloc-128 (Tainted: G    B      OE    ): Poison overwritten
[71556.835172] -----------------------------------------------------------------------------

[71556.835179] INFO: 0x00000000d20894be-0x00000000aaef63e9 @offset=2724. First byte 0x0 instead of 0x6b
[71556.835215] INFO: Allocated in __smc_buf_create+0x184/0x578 [smc] age=0 cpu=5 pid=46726
[71556.835234]     ___slab_alloc+0x5a4/0x690
[71556.835239]     __slab_alloc.constprop.0+0x70/0xb0
[71556.835243]     kmem_cache_alloc_trace+0x38e/0x3f8
[71556.835250]     __smc_buf_create+0x184/0x578 [smc]
[71556.835257]     smc_buf_create+0x2e/0xe8 [smc]
[71556.835264]     smc_listen_work+0x516/0x6a0 [smc]
[71556.835275]     process_one_work+0x280/0x478
[71556.835280]     worker_thread+0x66/0x368
[71556.835287]     kthread+0x17a/0x1a0
[71556.835294]     ret_from_fork+0x28/0x2c
[71556.835301] INFO: Freed in smc_buf_create+0xd8/0xe8 [smc] age=0 cpu=5 pid=46726
[71556.835307]     __slab_free+0x246/0x560
[71556.835311]     kfree+0x398/0x3f8
[71556.835318]     smc_buf_create+0xd8/0xe8 [smc]
[71556.835324]     smc_listen_work+0x516/0x6a0 [smc]
[71556.835328]     process_one_work+0x280/0x478
[71556.835332]     worker_thread+0x66/0x368
[71556.835337]     kthread+0x17a/0x1a0
[71556.835344]     ret_from_fork+0x28/0x2c
[71556.835348] INFO: Slab 0x00000000a0744551 objects=51 used=51 fp=0x0000000000000000 flags=0x1ffff00000010200
[71556.835352] INFO: Object 0x00000000563480a1 @offset=2688 fp=0x00000000289567b2

[71556.835359] Redzone 000000006783cde2: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
[71556.835363] Redzone 00000000e35b876e: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
[71556.835367] Redzone 0000000023074562: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
[71556.835372] Redzone 00000000b9564b8c: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
[71556.835376] Redzone 00000000810c6362: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
[71556.835380] Redzone 0000000065ef52c3: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
[71556.835384] Redzone 00000000c5dd6984: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
[71556.835388] Redzone 000000004c480f8f: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
[71556.835392] Object 00000000563480a1: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[71556.835397] Object 000000009c479d06: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[71556.835401] Object 000000006e1dce92: 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b 6b 6b 6b 6b  kkkk....kkkkkkkk
[71556.835405] Object 00000000227f7cf8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[71556.835410] Object 000000009a701215: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[71556.835414] Object 000000003731ce76: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[71556.835418] Object 00000000f7085967: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[71556.835422] Object 0000000007f99927: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.
[71556.835427] Redzone 00000000579c4913: bb bb bb bb bb bb bb bb                          ........
[71556.835431] Padding 00000000305aef82: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[71556.835435] Padding 00000000b1cdd722: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[71556.835438] Padding 00000000c7568199: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[71556.835442] Padding 00000000fad4c4d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[71556.835451] CPU: 0 PID: 47939 Comm: kworker/0:15 Tainted: G    B      OE     5.9.0-rc1uschi+ #54
[71556.835456] Hardware name: IBM 3906 M03 703 (LPAR)
[71556.835464] Workqueue: events smc_listen_work [smc]
[71556.835470] Call Trace:
[71556.835478]  [<00000000d5eaeb10>] show_stack+0x90/0xf8
[71556.835493]  [<00000000d66fc0f8>] dump_stack+0xa8/0xe8
[71556.835499]  [<00000000d61a511c>] check_bytes_and_report+0x104/0x130
[71556.835504]  [<00000000d61a57b2>] check_object+0x26a/0x2e0
[71556.835509]  [<00000000d61a59bc>] alloc_debug_processing+0x194/0x238
[71556.835514]  [<00000000d61a8c14>] ___slab_alloc+0x5a4/0x690
[71556.835519]  [<00000000d61a9170>] __slab_alloc.constprop.0+0x70/0xb0
[71556.835524]  [<00000000d61aaf66>] kmem_cache_alloc_trace+0x38e/0x3f8
[71556.835530]  [<000003ff80549bbc>] __smc_buf_create+0x184/0x578 [smc]
[71556.835538]  [<000003ff8054a396>] smc_buf_create+0x2e/0xe8 [smc]
[71556.835545]  [<000003ff80540c16>] smc_listen_work+0x516/0x6a0 [smc]
[71556.835549]  [<00000000d5f0f448>] process_one_work+0x280/0x478
[71556.835554]  [<00000000d5f0f6a6>] worker_thread+0x66/0x368
[71556.835559]  [<00000000d5f18692>] kthread+0x17a/0x1a0
[71556.835563]  [<00000000d6abf3b8>] ret_from_fork+0x28/0x2c
[71556.835569] INFO: lockdep is turned off.
[71556.835573] FIX kmalloc-128: Restoring 0x00000000d20894be-0x00000000aaef63e9=0x6b

[71556.835577] FIX kmalloc-128: Marking all objects used

Fixes: fd7f3a7465 ("net/smc: remove freed buffer from list")
Reviewed-by: Karsten Graul <kgraul@linux.ibm.com>
Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-09-03 16:52:33 -07:00
..
6lowpan treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
9p 9p pull request for inclusion in 5.9 2020-08-15 08:34:36 -07:00
802
8021q net: get rid of lockdep_set_class_and_subclass() 2020-06-28 21:37:23 -07:00
appletalk appletalk: Fix atalk_proc_init() return path 2020-08-03 15:48:32 -07:00
atm mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
ax25 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-07-25 17:49:04 -07:00
batman-adv batman-adv: bla: use netif_rx_ni when not in interrupt context 2020-08-18 19:40:03 +02:00
bluetooth mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
bpf bpf: Allow to specify ifindex for skb in bpf_prog_test_run_skb 2020-08-03 23:32:23 +02:00
bpfilter Merge branch 'exec-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2020-08-04 14:27:25 -07:00
bridge netfilter: ebtables: reject bogus getopt len value 2020-08-14 11:59:08 +02:00
caif net: caif: fix error code handling 2020-08-25 07:50:25 -07:00
can can: j1939: add rxtimer for multipacket broadcast session 2020-08-15 11:12:58 +02:00
ceph libceph: replace HTTP links with HTTPS ones 2020-08-03 11:05:26 +02:00
core pktgen: fix error message with wrong function name 2020-09-01 11:44:53 -07:00
dcb dcb_doit: remove redundant skb check 2020-06-23 20:27:09 -07:00
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
decnet Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2020-08-03 16:03:18 -07:00
dns_resolver
dsa net: dsa: stop overriding master's ndo_get_phys_port_name 2020-07-23 15:14:58 -07:00
ethernet net: move devres helpers into a separate source file 2020-05-23 16:56:17 -07:00
ethtool ethtool: Don't omit the netlink reply if no features were changed 2020-08-18 16:00:24 -07:00
hsr hsr: Use %pM format specifier for MAC addresses 2020-07-31 16:46:26 -07:00
ieee802154 net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
ife
ipv4 netfilter: delete repeated words 2020-08-28 20:11:38 +02:00
ipv6 ipv6: Fix sysctl max for fib_multipath_hash_policy 2020-09-02 15:44:53 -07:00
iucv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
kcm net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-08-02 01:02:12 -07:00
l2tp l2tp: improve API documentation in l2tp_core.h 2020-07-30 16:45:31 -07:00
l3mdev net: Fix some comments 2020-08-27 07:55:59 -07:00
lapb treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
llc net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
mac80211 mac80211: reduce packet loss event false positives 2020-08-27 10:53:20 +02:00
mac802154 mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
mpls net: Removed the device type check to add mpls support for devices 2020-07-27 11:40:47 -07:00
mptcp mptcp: free acked data before waiting for more memory 2020-08-26 15:48:44 -07:00
ncsi net/ncsi: use eth_zero_addr() to clear mac address 2020-07-23 11:49:41 -07:00
netfilter netfilter: conntrack: do not auto-delete clash entries on reply 2020-08-29 13:03:06 +02:00
netlabel netlabel: fix problems with mapping removal 2020-08-24 16:08:00 -07:00
netlink netlink: fix a data race in netlink_rcv_wake() 2020-08-28 06:51:11 -07:00
netrom net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
nfc net/nfc/rawsock.c: add CAP_NET_RAW check. 2020-08-11 10:34:30 -07:00
nsh treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
openvswitch net: openvswitch: introduce common code for flushing flows 2020-08-13 15:53:30 -07:00
packet af_packet: TPACKET_V3: fix fill status rwlock imbalance 2020-08-13 15:37:30 -07:00
phonet net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
psample net: psample: fix build error when CONFIG_INET is not enabled 2020-05-23 16:36:05 -07:00
qrtr net: qrtr: fix usage of idr in port assignment to socket 2020-08-17 15:00:41 -07:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-08-02 01:02:12 -07:00
rfkill
rose net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
rxrpc rxrpc: Fix memory leak in rxkad_verify_response() 2020-08-27 12:59:45 -07:00
sched net_sched: fix error path in red_init() 2020-08-28 07:16:46 -07:00
sctp sctp: not disable bh in the whole sctp_get_port_local() 2020-08-24 15:50:17 -07:00
smc net/smc: reset sndbuf_desc if freed 2020-09-03 16:52:33 -07:00
strparser
sunrpc NFS client updates for Linux 5.9 2020-08-15 08:26:55 -07:00
switchdev net: switchdev: kerneldoc fixes 2020-07-13 17:20:40 -07:00
tipc tipc: fix shutdown() of connectionless socket 2020-09-02 15:49:30 -07:00
tls net/tls: Fix kmap usage 2020-08-11 10:20:34 -07:00
unix net: make ->{get,set}sockopt in proto_ops optional 2020-07-19 18:16:41 -07:00
vmw_vsock vsock: fix potential null pointer dereference in vsock_poll() 2020-08-12 12:56:06 -07:00
wimax
wireless cfg80211: Adjust 6 GHz frequency to channel conversion 2020-08-27 10:53:21 +02:00
x25 net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
xdp xdp: Prevent kernel-infoleak in xsk_getsockopt() 2020-07-28 12:50:15 +02:00
xfrm A set of locking fixes and updates: 2020-08-10 19:07:44 -07:00
compat.c net/scm: Fix typo in SCM_RIGHTS compat refactoring 2020-08-07 12:43:25 -07:00
devres.c net: devres: rename the release callback of devm_register_netdev() 2020-06-30 15:57:34 -07:00
Kconfig net: ethtool: Remove PHYLIB direct dependency 2020-07-07 15:41:05 -07:00
Makefile net: move devres helpers into a separate source file 2020-05-23 16:56:17 -07:00
socket.c net: Fix some comments 2020-08-27 07:55:59 -07:00
sysctl_net.c