Re: [5.10 CAN BUG report] kernel dump about echo skb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jan 22, 2021 at 10:23:24AM +0100, Marc Kleine-Budde wrote:
> On Fri, Jan 22, 2021 at 06:08:18PM +0900, Vincent MAILHOL wrote:
> > > > 1. Kernel dump log:
> > > > [  101.688327] ------------[ cut here ]------------ [  101.692968] refcount_t:
> > > > addition on 0; use-after-free.
> > 
> > The skb already had its refcount at zero when reaching
> > can_put_echo_skb(). It is as if it was already freed/consumed!
> 
> ACK
> 
> > If you remove Oleksij’s patch, can_put_echo_skb() will probably not
> > clone the skb and thus not check the refcount: this means that you
> > will not see the warning, however, it does not necessarily mean that
> > the bug did not occur.
> 
> ACK
> 
> > So far, it seems to me to be another bug which was invisible until
> > now and which Oleksij’s patch just uncovered. But I do not yet fully
> > understand what the root cause could be.
> 
> Or it's the same bug, hitting earlier. Oleksij's backtrace was in the
> TX-complete path and the problem was fixes by cloning the skb in before TX.
> This means the refcount of the original skb was decremented between TX and
> TX-complete. Here the refcount is decremented even before TX.
> 
> Does this make sense?

Is socket was closed just before TX?

Regards,
Oleksij
-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |



[Index of Archives]     [Automotive Discussions]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]     [CAN Bus]

  Powered by Linux