net: tracepoint of net_dev_xmit sees freed skb and causes panic

Because there is a possibility that skb is kfree_skb()ed and zero cleared
after ndo_start_xmit, we should not see the contents of skb like skb->len and
skb->dev->name after ndo_start_xmit. But trace_net_dev_xmit does that
and causes panic by NULL pointer dereference.
This patch fixes trace_net_dev_xmit not to see the contents of skb directly.

If you want to reproduce this panic,

1. Get tracepoint of net_dev_xmit on
2. Create 2 guests on KVM
2. Make 2 guests use virtio_net
4. Execute netperf from one to another for a long time as a network burden
5. host will panic(It takes about 30 minutes)

Signed-off-by: Koki Sanagi <sanagi.koki@jp.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 7 insertions, 5 deletions

diff --git a/include/trace/events/net.h b/include/trace/events/net.h
index 5f247f5ffc56..f99645d05a8f 100644
--- a/include/trace/events/net.h
+++ b/include/trace/events/net.h
@@ -12,22 +12,24 @@
 TRACE_EVENT(net_dev_xmit,
 
         TP_PROTO(struct sk_buff *skb,
-                 int rc),
+                 int rc,
+                 struct net_device *dev,
+                 unsigned int skb_len),
 
-        TP_ARGS(skb, rc),
+        TP_ARGS(skb, rc, dev, skb_len),
 
         TP_STRUCT__entry(
                 __field(        void *,         skbaddr         )
                 __field(        unsigned int,   len             )
                 __field(        int,            rc              )
-                __string(       name,           skb->dev->name  )
+                __string(       name,           dev->name       )
         ),
 
         TP_fast_assign(
                 __entry->skbaddr = skb;
-                __entry->len = skb->len;
+                __entry->len = skb_len;
                 __entry->rc = rc;
-                __assign_str(name, skb->dev->name);
+                __assign_str(name, dev->name);
         ),
 
         TP_printk("dev=%s skbaddr=%p len=%u rc=%d",