Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1122983pxp; Sun, 6 Mar 2022 06:23:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJwa4eCh3uaC+cLAXKS9G0pncjmbPukbjQ9RcBb41qKoFP+ADyPwpV/TR/GCZmqbSFBDvKMg X-Received: by 2002:a65:5b8d:0:b0:376:2310:ab09 with SMTP id i13-20020a655b8d000000b003762310ab09mr6336279pgr.339.1646576618808; Sun, 06 Mar 2022 06:23:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646576618; cv=none; d=google.com; s=arc-20160816; b=RYgesnXoTtO4UYtnxEO7WhD3E3L//wGSZFkYxqDfbOSfcgG+PUu7Y8ToncxGKVpwgg 7MUO0DSUS913/7Pw4QvTzUTo/G1trVbniNyWKPg3YzQHtdJmBu3ib8g2Q67KfJKkOHRo 9mn1GH6NBqLiUH1sE+k0cCI4r8O6rZ4ow1iaf9mPsOhLneBSyMbx4Pd9qPL0VdMnQ78x grJbF7OMnQXJJcxpMBi99WtFsppe/Bz0gvkiefQWymVbi3RSD2FItyFIw21HOss5HJip 9vhHssDuZYzasQC4jVJLlCVyIR3N0FENgIfbHr447o36ENXVgj3Kbm/1Ee267TMM8PCL ivzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:mime-version:date :dkim-signature:message-id; bh=4p4r1LsqVbNtuaN4+UAKCcBfS2bVk6T+s/lsV//2jnY=; b=jXfjpbMPCYxaj3mvOGDoIQm+PJ35FVDoM4HPGZ5r5+7JcE8rOdtetvFepO01kMCmd0 kc1He4IQ1OVxLxoJ90/m+r7Dmdp4WwGvVp4WtesQVEHu+hPlBj/Pu9WjRHwjdgQGs7z7 /NyymgZRCTjc0JP+xGXuaOePW4taN23G1bERbcLMJ1XH7Xfvh2HsQPmYYQV5dej2hDLB 6ctplPS09EMqV0A6mA9MD6TjoRp536X0MVVM4LieZGIh4NH4VYcp+1sE3UeG1SoRXi8V DJ9+frKKyn3j7W7IDBMfCaKN4VZF6rV9WOc7tIgMf7Bks+mhdzPGjjUosrGTfkiOtvMk qdWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@hauke-m.de header.s=MBO0001 header.b=jskBSbhB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b18-20020a056a000a9200b004f139308bddsi10804754pfl.110.2022.03.06.06.23.22; Sun, 06 Mar 2022 06:23:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@hauke-m.de header.s=MBO0001 header.b=jskBSbhB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231970AbiCEPmH (ORCPT + 99 others); Sat, 5 Mar 2022 10:42:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48746 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230224AbiCEPmG (ORCPT ); Sat, 5 Mar 2022 10:42:06 -0500 Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org [IPv6:2001:67c:2050::465:201]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 93B9B23BEF; Sat, 5 Mar 2022 07:41:15 -0800 (PST) Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:105:465:1:3:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4K9ppt318Cz9sqb; Sat, 5 Mar 2022 16:41:10 +0100 (CET) Message-ID: <3f3957dd-5aae-ca0d-d487-fe062d989980@hauke-m.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hauke-m.de; s=MBO0001; t=1646494868; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4p4r1LsqVbNtuaN4+UAKCcBfS2bVk6T+s/lsV//2jnY=; b=jskBSbhBeHHTqsPz5DQ9MKbWrOEdKZ3J+YdfOc3Sj60U/2/Yi9Ay9t3kVCAr9/944aOT41 2OMo9xKrCejSK2kES1NAVzJBvGR2yy97HHXSRmR9gVbfS5nS7m5Vc8LNebdefDQHXTpkEJ ivzogByp9ODBStm3y9J4315uX7dM2Xt7qlUyAGMqQgYpzOKuTygA0HBpsPLtzE/iKhcOaH 0vZ98dgFCh8jN/zicOU95GAyuuAcbh278bnnpxsL8cz6XByVXUjsttglibq0+yFFExcKJ9 DMGny5/+gss8Sir9FRSq8TO7TudU0GXMG3iMm8e6mADcZr/y7r6I01SaOx43AA== Date: Sat, 5 Mar 2022 16:41:00 +0100 MIME-Version: 1.0 Subject: Re: [PATCH net] net: lantiq_xrx200: fix use after free bug Content-Language: en-US To: Aleksander Jan Bajkowski , davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Eric Dumazet References: <20220305112039.3989-1-olek2@wp.pl> From: Hauke Mehrtens In-Reply-To: <20220305112039.3989-1-olek2@wp.pl> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/5/22 12:20, Aleksander Jan Bajkowski wrote: > The skb->len field is read after the packet is sent to the network > stack. In the meantime, skb can be freed. This patch fixes this bug. > > Fixes: c3e6b2c35b34 ("net: lantiq_xrx200: add ingress SG DMA support") > Reported-by: Eric Dumazet > Signed-off-by: Aleksander Jan Bajkowski Acked-by: Hauke Mehrtens > --- > drivers/net/ethernet/lantiq_xrx200.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/lantiq_xrx200.c b/drivers/net/ethernet/lantiq_xrx200.c > index 41d11137cde0..5712c3e94be8 100644 > --- a/drivers/net/ethernet/lantiq_xrx200.c > +++ b/drivers/net/ethernet/lantiq_xrx200.c > @@ -260,9 +260,9 @@ static int xrx200_hw_receive(struct xrx200_chan *ch) > > if (ctl & LTQ_DMA_EOP) { > ch->skb_head->protocol = eth_type_trans(ch->skb_head, net_dev); > - netif_receive_skb(ch->skb_head); > net_dev->stats.rx_packets++; > net_dev->stats.rx_bytes += ch->skb_head->len; > + netif_receive_skb(ch->skb_head); > ch->skb_head = NULL; > ch->skb_tail = NULL; > ret = XRX200_DMA_PACKET_COMPLETE;