Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8838484imu; Sat, 29 Dec 2018 04:59:22 -0800 (PST) X-Google-Smtp-Source: ALg8bN5+2YSpjAn8WAAEudWkwIuplIU7H/M36C3Vc+HlFBgjPPqhsRgQMeop2gk/JB3ExlibaK6d X-Received: by 2002:a17:902:4681:: with SMTP id p1mr31807679pld.184.1546088362383; Sat, 29 Dec 2018 04:59:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546088362; cv=none; d=google.com; s=arc-20160816; b=ghdtib/ACmmJ+0KFwrVfm4ZMIw9F0C9t6WkbPpAhLgUg0GSObukXyMDV/OPh9F3dR2 Is2knZ63nXOCV2LvpX0IhRSWEjw9XPBzpuClWC8i/jdIEiSnE8B/FqJsfdgluquNYudi CMuPtPCMRV1AmXzqGvcqOn+wEzSX8J0P4V4/ff0H+OtJlEJLXQO1JVGH9T+tijet9E7B rzmWDhLXEe+gWs9ZJ2WHTgFvmUDH/ZJ8T7gTu9iSb5uc5MhUok1527OACprGDqzU0v9Y FCLFLvqAPMOTxedhCumLxB6Vz2mNcncWB0DbKIRDd5eIIqc+wKPwHJwE1LFFLl/bZJOH gW5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=sq+JbPnMW/NXAwwhGn2xK9f233M3GL2S6W4GhWiLGXE=; b=pHVcwAKzMw4gRb6LIRuQaSRkYY3jg4S97ax8ma+y+fPmyClAEbJZUmeCOm9rxGU2wA YQKqMX44QmAYlYxRqc1EZE1Cd8sppkFw0AfuR22Mp3bohf+usEPJA7E+t/vPH7cwOaSZ qUuqphRGTowWSPwJX4c0NQL546Ynsqoa7su7ft1Cqp2C3tHenoAyzRrCVU3hlKdhb4eU oVNbSVfd06RlEQkdLjRwm3/rYQFtWP4CSKkfX1KK8EkHDpu1WurIMADP/NRSDbuV5IXk 5gkBeZ71Wt6edcNqQmWcDP19DvsyqsfCEgG9kRvV33wvBQJhxTZ2jWq/N6A2EHE5FrAr cPZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r39si41367078pld.434.2018.12.29.04.59.07; Sat, 29 Dec 2018 04:59:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728488AbeL2FbF (ORCPT + 99 others); Sat, 29 Dec 2018 00:31:05 -0500 Received: from shards.monkeyblade.net ([23.128.96.9]:40344 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725923AbeL2FbE (ORCPT ); Sat, 29 Dec 2018 00:31:04 -0500 Received: from localhost (unknown [IPv6:2601:601:9f80:35cd::cf9]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 0021C1341222A; Fri, 28 Dec 2018 21:31:03 -0800 (PST) Date: Fri, 28 Dec 2018 21:31:03 -0800 (PST) Message-Id: <20181228.213103.793343860286706296.davem@davemloft.net> To: baijiaju1990@gmail.com Cc: m.grzeschik@pengutronix.de, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] net: arcnet: Fix a possible concurrency use-after-free bug in arcnet_reply_tasklet() From: David Miller In-Reply-To: <20181227020142.18190-1-baijiaju1990@gmail.com> References: <20181227020142.18190-1-baijiaju1990@gmail.com> X-Mailer: Mew version 6.8 on Emacs 26.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Fri, 28 Dec 2018 21:31:04 -0800 (PST) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jia-Ju Bai Date: Thu, 27 Dec 2018 10:01:42 +0800 > @@ -401,6 +401,7 @@ static void arcnet_reply_tasklet(unsigned long data) > struct sock_exterr_skb *serr; > struct sock *sk; > int ret; > + unsigned long flags; > > local_irq_disable(); > skb = lp->outgoing.skb; > @@ -426,10 +427,14 @@ static void arcnet_reply_tasklet(unsigned long data) > serr->ee.ee_data = skb_shinfo(skb)->tskey; > serr->ee.ee_info = lp->reply_status; > > + spin_lock_irqsave(&lp->lock, flags); > + > /* finally erasing outgoing skb */ > dev_kfree_skb(lp->outgoing.skb); > lp->outgoing.skb = NULL; > > + spin_unlock_irqrestore(&lp->lock, flags); > + > ackskb->dev = lp->dev; > > ret = sock_queue_err_skb(sk, ackskb); This is not the correct fix. You need to instead replace the existing local_irq_*() calls in the function with the spinlock stuff.