Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp913246imu; Wed, 28 Nov 2018 01:23:18 -0800 (PST) X-Google-Smtp-Source: AFSGD/X6ABV77xLs7sCa3SzgcMpk43e4gAFKNVvILVNEYjHtyU9dYopoELqCmUz351llWWWA4pZ+ X-Received: by 2002:a63:ce50:: with SMTP id r16mr32243450pgi.217.1543396997949; Wed, 28 Nov 2018 01:23:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543396997; cv=none; d=google.com; s=arc-20160816; b=Pg999eAfmVdqyu9jqllTKwB8PrBp3u45MKXlytAIz5eRMMjgcZHYzbWbr2Y9rgChAf y1P/Uy0arGCEKCYKXnaaWTT3BUGu7MBnt8zWuaWBNHHBX40nyG8sspNlm0N54tJoxO+Y gz99vr1fbWjBlsDSG9jd9Zh4QuKH3IReY3CFBZhITryfviEb3EaSwimrea40MLMtfMk6 pheM4TEhrcdjgZH0Vu8eMIXQ/LPtuOrdQw8VuPY7dTQIVpm4rWqHOx6S1dlipTT0E1jE tYQL2qV9H02c0gdGc1WSTdcWkVA4iGHCHiaH8B/gsKxfwsWvLh5pFVl+BYkE8Ugp12Gu W5Yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=CbfxdGke0HEMBGu+SopRdrIaYtU/j5g7rmGw+u6eV8c=; b=TNzIp1FwQoL1bSA3qslHlUMahrp7agvHdUz5piCZF58jmITtjwV0UOLGqNYEGCKvsI 5BQePiXZOzbR5Wk91Lu7fzd+mE5S1gL6KnunWZENg2AKtst8PH/WoVckg2naWcYAmjG/ 0Pj8mXNCbGzTZwCfyd600p8gIxlz3F6ov7ooWAhsR2JdrRoGr1QFdeqB+BHTNNrJqAUs MBs57oiZY2SsS7jTOvsi0A1xdufL9LjhnPBe1j9hr6WSKawkSZt4f4Pf8sh1k7ZfS815 0xeDLwVAdZCPW3YWlU3iRAI0HWKwXRLx2FWzZI8t5Q+KbI1hEjB28QcSJBbmRdDnPAht 5EaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=FWEMTPvj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n1si6658605pgh.172.2018.11.28.01.23.03; Wed, 28 Nov 2018 01:23:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=FWEMTPvj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728075AbeK1UWC (ORCPT + 99 others); Wed, 28 Nov 2018 15:22:02 -0500 Received: from m12-14.163.com ([220.181.12.14]:47214 "EHLO m12-14.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727616AbeK1UWB (ORCPT ); Wed, 28 Nov 2018 15:22:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=CbfxdGke0HEMBGu+So pRdrIaYtU/j5g7rmGw+u6eV8c=; b=FWEMTPvj27bgJYepzGR7cao/na0jLP8Q+8 NaQrbg+eWeZoBchJE0gzdHje85sQgXmvYFuN8vnmHwc8LjM5tGJ2UzUMTt7T4Ulv 62KKMrmfl2+89vVy6JkK1lwIypHmD/aG4ndtNN3AjPB8SKgLi8yjwVRmhtLoAKCj UCrLDBRnI= Received: from bp.localdomain (unknown [106.120.213.96]) by smtp10 (Coremail) with SMTP id DsCowAD3W8j0Xf5bV1xACQ--.53578S3; Wed, 28 Nov 2018 17:20:54 +0800 (CST) From: Pan Bian To: Jose Abreu , "David S. Miller" Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Pan Bian Subject: [PATCH] net: dwc-xlgmac: set skb to NULL after freeing it Date: Wed, 28 Nov 2018 17:20:53 +0800 Message-Id: <1543396853-35188-1-git-send-email-bianpan2016@163.com> X-Mailer: git-send-email 2.7.4 X-CM-TRANSID: DsCowAD3W8j0Xf5bV1xACQ--.53578S3 X-Coremail-Antispam: 1Uf129KBjvJXoW7Cw1DKw1rJF4fWr13Xry5Jwb_yoW8Jw15pa yUJ3yUXrn3Jr42qaykXw4rZF15Gan8JFZ5Gr9rCw13X3ZIyr1a9r1qqa4YyFWUCFZ3uaya qw4Y9rn7WFn8XFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07j1Ap5UUUUU= X-Originating-IP: [106.120.213.96] X-CM-SenderInfo: held01tdqsiiqw6rljoofrz/1tbiQAMNclSIYVNlRgAAsx Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The buffer skb is freed via dev_kfree_skb in a loop. After freeing skb, the value of packet_count is updated via packet_count++. If packet_count happens to equal the upper bound (i.e., budget), the loop will be broken and skb may be assigned to desc_data->state.skb. Resulting that desc_data->state.skb may point to a freed memory chunk. To fix this, the patch sets skb to NULL after dev_kfree_skb(skb). Signed-off-by: Pan Bian --- drivers/net/ethernet/synopsys/dwc-xlgmac-net.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/synopsys/dwc-xlgmac-net.c b/drivers/net/ethernet/synopsys/dwc-xlgmac-net.c index 1f8e960..a0d28c4 100644 --- a/drivers/net/ethernet/synopsys/dwc-xlgmac-net.c +++ b/drivers/net/ethernet/synopsys/dwc-xlgmac-net.c @@ -1180,6 +1180,7 @@ static int xlgmac_rx_poll(struct xlgmac_channel *channel, int budget) netif_err(pdata, rx_err, netdev, "error in received packet\n"); dev_kfree_skb(skb); + skb = NULL; goto next_packet; } @@ -1227,6 +1228,7 @@ static int xlgmac_rx_poll(struct xlgmac_channel *channel, int budget) netif_err(pdata, rx_err, netdev, "packet length exceeds configured MTU\n"); dev_kfree_skb(skb); + skb = NULL; goto next_packet; } -- 2.7.4