Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp900202imu; Wed, 28 Nov 2018 01:08:08 -0800 (PST) X-Google-Smtp-Source: AFSGD/Uy5KruTtWcdOwYvTaBrKZc5yrahjo3iRjV/uX++Xg8+/dRTkA1i36i1etrgTfgl9u0Gvaq X-Received: by 2002:a63:78cd:: with SMTP id t196mr32578524pgc.62.1543396088680; Wed, 28 Nov 2018 01:08:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543396088; cv=none; d=google.com; s=arc-20160816; b=W0EsP0QIXtwCy+eJK9y+N5ca5BJ2vQjYkso66HDJ8X1+b+dgPVww3hZCfAIh+TC+xI uBJ4mVNm0Pyu+K5mbfsNOmhz12qxIEEnlUFtTVvcQhorBOaY4apgChbMB7LKJFv06JuY g5+dBoqwpvHnqRoQXlH58PRXzi29SOyt9Yl02HHAmCcaILNOdErsJwi51s+qlznkROrC X73JjA0dJKMlI5AMPOH7FYBq9naN3sa8G+ReNI/f/KCYEl/rGWi0s2tHm9CySxqt+768 lbthZxfWg25+LL9VLP8M0U6FGYmG+YBcx7OJuYQk4XlcrL2bD1/em7Z5+H+9u1bo9/dn l7hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=NB6s/+V5cIqzeFNbhZh4CQ5aEFBxxXAHiaDRAdx3YKI=; b=nojW/zsC7YYtmeBwZqP2vuO45fZ0hPrEcD783aJ/QLTYF6Y3OJBObiB+HTzhYZxc/4 GJanQ88ceKvU6eBwl9hO9He5hxnlNfqLlJ38PuV/5k0nQXDRrMMxVla2OqD8EWQ9bxzo uQWhihQKNnxBQ7FL8mqyTjtlG3LhtExzoV1UIbQ6hD0qZxYU8K/fJ+C9DZ9S8yURS/Cu Ta4AQX8MQO86XZa49AanXlX3MxRzcOPz2thcUvrujAyk07+j4APwpBlp9m802GOrJPEB umgmW0z6+gkfdtrdG0CQeUQaoTYoWI3XUfh8rIP7wP1nebVBKswLEqdmwlmTwq93kMHS QgWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=YAYM3mHK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q9si6614399pgh.92.2018.11.28.01.07.53; Wed, 28 Nov 2018 01:08:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=YAYM3mHK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727873AbeK1UHX (ORCPT + 99 others); Wed, 28 Nov 2018 15:07:23 -0500 Received: from m12-16.163.com ([220.181.12.16]:52473 "EHLO m12-16.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727413AbeK1UHX (ORCPT ); Wed, 28 Nov 2018 15:07:23 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=NB6s/+V5cIqzeFNbhZ h4CQ5aEFBxxXAHiaDRAdx3YKI=; b=YAYM3mHKD4PLabk3UJHKIfxRuudTfJiL1U zbjZwUlhYp3Jv58d15xxHDEW+BXS5bNcKqSTfvHPBK1WDc172woL4liTJ5NZOEBw mtzWKEeBbbBUo3Egekz9QbEZn8L6d0zb+eAtOteWjMkyWsq65vuAmNaE/G1h6yYB EmOyUYQdU= Received: from bp.localdomain (unknown [106.120.213.96]) by smtp12 (Coremail) with SMTP id EMCowAD3yaiGWv5beShcAQ--.20921S3; Wed, 28 Nov 2018 17:06:21 +0800 (CST) From: Pan Bian To: Tom Lendacky , "David S. Miller" Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Pan Bian Subject: [PATCH V2] amd-xgbe: set skb to NULL after freeing it Date: Wed, 28 Nov 2018 17:06:15 +0800 Message-Id: <1543395975-25339-1-git-send-email-bianpan2016@163.com> X-Mailer: git-send-email 2.7.4 X-CM-TRANSID: EMCowAD3yaiGWv5beShcAQ--.20921S3 X-Coremail-Antispam: 1Uf129KBjvJXoW7Cw1DKw13CF1xGrWDXrW7twb_yoW8JF47pa yUWryxJw1ktr42qa18Ja1IvF15ta1ktFW5Kr95u3WrZ3Z0yry2vrykK34jkFWjkFWkGa1a qr47urs3W3ZxJ3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07j17K3UUUUU= X-Originating-IP: [106.120.213.96] X-CM-SenderInfo: held01tdqsiiqw6rljoofrz/xtbBUQ0NclaD0V8ykwAAsZ Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The buffer skb is freed via dev_kfree_skb in a loop. After freeing skb, the value of packet_count is updated via packet_count++. If packet_count happens to equal the upper bound budget, the loop will be broken and skb may be assigned to rdata->state.skb. Resulting that rdata->state.skb may point to a freed memory chunk. To fix this, the patch sets skb to NULL after dev_kfree_skb(skb). Signed-off-by: Pan Bian --- V2: correct the commit log --- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c index 0cc911f..ac6b82d 100644 --- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c @@ -2754,6 +2754,7 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget) netif_err(pdata, rx_err, netdev, "error in received packet\n"); dev_kfree_skb(skb); + skb = NULL; goto next_packet; } @@ -2806,6 +2807,7 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget) netif_err(pdata, rx_err, netdev, "packet length exceeds configured MTU\n"); dev_kfree_skb(skb); + skb = NULL; goto next_packet; } -- 2.7.4