Date: Thu, 20 Jul 2017 14:17:34 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Cc: ruxandra.radulescu@nxp.com, gregkh@linuxfoundation.org,
        linux-kernel@vger.kernel.org, devel@driverdev.osuosl.org
Subject: Re: [PATCH 1/2] staging: fsl-dpaa2/eth: Fix skb use after free
Message-ID: <20170720111733.vjn3i2s3shzf7u4d@mwanda>
References: <1500548318-23170-1-git-send-email-bogdan.purcareata@nxp.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1500548318-23170-1-git-send-email-bogdan.purcareata@nxp.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1271
Lines: 29

On Thu, Jul 20, 2017 at 10:58:37AM +0000, Bogdan Purcareata wrote:
> Once a Tx frame descriptor is enqueued, an interrupt might be triggered
> to process the Tx confirmation and free the skb, hitting a memory use
> after free when updating the tx_bytes statistic based on skb->len.
> 
> Use the frame descriptor length instead.
> 
> Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> ---
>  drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
> index b9a0a31..0f3e497 100644
> --- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
> +++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
> @@ -616,7 +616,7 @@ static netdev_tx_t dpaa2_eth_tx(struct sk_buff *skb, struct net_device *net_dev)
>  		free_tx_fd(priv, &fd, NULL);
>  	} else {
>  		percpu_stats->tx_packets++;
> -		percpu_stats->tx_bytes += skb->len;
> +		percpu_stats->tx_bytes += dpaa2_fd_get_len(&fd);

This feels like the wrong thing.  Can't we just save skb->len earlier
in the function and use it here?  This is the common case right?  So
we'd be saving slightly wrong information for almost every packet.

regards,
dan carpenter