| Message ID | 20221115172407.72863-1-wanghai38@huawei.com (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] e100: Fix possible use after free in e100_xmit_prepare | expand |
On Wed, 2022-11-16 at 01:24 +0800, Wang Hai wrote: > In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so > e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will > resend the skb. But the skb is already freed, which will cause UAF bug > when the upper layer resends the skb. > > Remove the harmful free. > > Fixes: 5e5d49422dfb ("e100: Release skb when DMA mapping is failed in e100_xmit_prepare") > Signed-off-by: Wang Hai <wanghai38@huawei.com> > --- > drivers/net/ethernet/intel/e100.c | 5 +---- > 1 file changed, 1 insertion(+), 4 deletions(-) > > diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c > index 560d1d442232..d3fdc290937f 100644 > --- a/drivers/net/ethernet/intel/e100.c > +++ b/drivers/net/ethernet/intel/e100.c > @@ -1741,11 +1741,8 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb, > dma_addr = dma_map_single(&nic->pdev->dev, skb->data, skb->len, > DMA_TO_DEVICE); > /* If we can't map the skb, have the upper layer try later */ > - if (dma_mapping_error(&nic->pdev->dev, dma_addr)) { > - dev_kfree_skb_any(skb); > - skb = NULL; > + if (dma_mapping_error(&nic->pdev->dev, dma_addr)) > return -ENOMEM; > - } > > /* > * Use the last 4 bytes of the SKB payload packet as the CRC, used for I'm surprised the original patch that this essentially reverts was even accepted. Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c index 560d1d442232..d3fdc290937f 100644 --- a/drivers/net/ethernet/intel/e100.c +++ b/drivers/net/ethernet/intel/e100.c @@ -1741,11 +1741,8 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb, dma_addr = dma_map_single(&nic->pdev->dev, skb->data, skb->len, DMA_TO_DEVICE); /* If we can't map the skb, have the upper layer try later */ - if (dma_mapping_error(&nic->pdev->dev, dma_addr)) { - dev_kfree_skb_any(skb); - skb = NULL; + if (dma_mapping_error(&nic->pdev->dev, dma_addr)) return -ENOMEM; - } /* * Use the last 4 bytes of the SKB payload packet as the CRC, used for
In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will resend the skb. But the skb is already freed, which will cause UAF bug when the upper layer resends the skb. Remove the harmful free. Fixes: 5e5d49422dfb ("e100: Release skb when DMA mapping is failed in e100_xmit_prepare") Signed-off-by: Wang Hai <wanghai38@huawei.com> --- drivers/net/ethernet/intel/e100.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-)