Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965309AbdGTLRx (ORCPT ); Thu, 20 Jul 2017 07:17:53 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:43534 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965297AbdGTLRt (ORCPT ); Thu, 20 Jul 2017 07:17:49 -0400 Date: Thu, 20 Jul 2017 14:17:34 +0300 From: Dan Carpenter To: Bogdan Purcareata Cc: ruxandra.radulescu@nxp.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, devel@driverdev.osuosl.org Subject: Re: [PATCH 1/2] staging: fsl-dpaa2/eth: Fix skb use after free Message-ID: <20170720111733.vjn3i2s3shzf7u4d@mwanda> References: <1500548318-23170-1-git-send-email-bogdan.purcareata@nxp.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1500548318-23170-1-git-send-email-bogdan.purcareata@nxp.com> User-Agent: NeoMutt/20170113 (1.7.2) X-Source-IP: aserv0022.oracle.com [141.146.126.234] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1271 Lines: 29 On Thu, Jul 20, 2017 at 10:58:37AM +0000, Bogdan Purcareata wrote: > Once a Tx frame descriptor is enqueued, an interrupt might be triggered > to process the Tx confirmation and free the skb, hitting a memory use > after free when updating the tx_bytes statistic based on skb->len. > > Use the frame descriptor length instead. > > Signed-off-by: Bogdan Purcareata > --- > drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c > index b9a0a31..0f3e497 100644 > --- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c > +++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c > @@ -616,7 +616,7 @@ static netdev_tx_t dpaa2_eth_tx(struct sk_buff *skb, struct net_device *net_dev) > free_tx_fd(priv, &fd, NULL); > } else { > percpu_stats->tx_packets++; > - percpu_stats->tx_bytes += skb->len; > + percpu_stats->tx_bytes += dpaa2_fd_get_len(&fd); This feels like the wrong thing. Can't we just save skb->len earlier in the function and use it here? This is the common case right? So we'd be saving slightly wrong information for almost every packet. regards, dan carpenter