| Message ID | 20220305112039.3989-1-olek2@wp.pl (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | dd830aed23c6e07cd8e2a163742bf3d63c9add08 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] net: lantiq_xrx200: fix use after free bug | expand |
On 3/5/22 12:20, Aleksander Jan Bajkowski wrote: > The skb->len field is read after the packet is sent to the network > stack. In the meantime, skb can be freed. This patch fixes this bug. > > Fixes: c3e6b2c35b34 ("net: lantiq_xrx200: add ingress SG DMA support") > Reported-by: Eric Dumazet <eric.dumazet@gmail.com> > Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl> Acked-by: Hauke Mehrtens <hauke@hauke-m.de> > --- > drivers/net/ethernet/lantiq_xrx200.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/lantiq_xrx200.c b/drivers/net/ethernet/lantiq_xrx200.c > index 41d11137cde0..5712c3e94be8 100644 > --- a/drivers/net/ethernet/lantiq_xrx200.c > +++ b/drivers/net/ethernet/lantiq_xrx200.c > @@ -260,9 +260,9 @@ static int xrx200_hw_receive(struct xrx200_chan *ch) > > if (ctl & LTQ_DMA_EOP) { > ch->skb_head->protocol = eth_type_trans(ch->skb_head, net_dev); > - netif_receive_skb(ch->skb_head); > net_dev->stats.rx_packets++; > net_dev->stats.rx_bytes += ch->skb_head->len; > + netif_receive_skb(ch->skb_head); > ch->skb_head = NULL; > ch->skb_tail = NULL; > ret = XRX200_DMA_PACKET_COMPLETE;
Hello: This patch was applied to netdev/net.git (master) by David S. Miller <davem@davemloft.net>: On Sat, 5 Mar 2022 12:20:39 +0100 you wrote: > The skb->len field is read after the packet is sent to the network > stack. In the meantime, skb can be freed. This patch fixes this bug. > > Fixes: c3e6b2c35b34 ("net: lantiq_xrx200: add ingress SG DMA support") > Reported-by: Eric Dumazet <eric.dumazet@gmail.com> > Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl> > > [...] Here is the summary with links: - [net] net: lantiq_xrx200: fix use after free bug https://git.kernel.org/netdev/net/c/dd830aed23c6 You are awesome, thank you!
diff --git a/drivers/net/ethernet/lantiq_xrx200.c b/drivers/net/ethernet/lantiq_xrx200.c index 41d11137cde0..5712c3e94be8 100644 --- a/drivers/net/ethernet/lantiq_xrx200.c +++ b/drivers/net/ethernet/lantiq_xrx200.c @@ -260,9 +260,9 @@ static int xrx200_hw_receive(struct xrx200_chan *ch) if (ctl & LTQ_DMA_EOP) { ch->skb_head->protocol = eth_type_trans(ch->skb_head, net_dev); - netif_receive_skb(ch->skb_head); net_dev->stats.rx_packets++; net_dev->stats.rx_bytes += ch->skb_head->len; + netif_receive_skb(ch->skb_head); ch->skb_head = NULL; ch->skb_tail = NULL; ret = XRX200_DMA_PACKET_COMPLETE;
The skb->len field is read after the packet is sent to the network stack. In the meantime, skb can be freed. This patch fixes this bug. Fixes: c3e6b2c35b34 ("net: lantiq_xrx200: add ingress SG DMA support") Reported-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl> --- drivers/net/ethernet/lantiq_xrx200.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)