diff mbox series

[net-next,v2] net: dsa: avoid potential use-after-free error

Message ID 20201119110906.25558-1-ceggers@arri.de (mailing list archive)
State Accepted
Commit 30abc9cd9c6bdd44d23fc49a9c2526a86fba4305
Delegated to: Netdev Maintainers
Headers show
Series [net-next,v2] net: dsa: avoid potential use-after-free error | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Clearly marked for net-next
netdev/subject_prefix success Link
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 13 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/header_inline success Link
netdev/stable success Stable not CCed

Commit Message

Christian Eggers Nov. 19, 2020, 11:09 a.m. UTC 
If dsa_switch_ops::port_txtstamp() returns false, clone will be freed
immediately. Shouldn't store a pointer to freed memory.

Signed-off-by: Christian Eggers <ceggers@arri.de>
Fixes: 146d442c2357 ("net: dsa: Keep a pointer to the skb clone for TX timestamping")
---
Changes since v1:
- Fixed "Fixes:" tag (and configured my GIT)
- Adjusted commit description

 net/dsa/slave.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Vladimir Oltean Nov. 20, 2020, 6:01 p.m. UTC | #1 
On Thu, Nov 19, 2020 at 12:09:06PM +0100, Christian Eggers wrote:
> If dsa_switch_ops::port_txtstamp() returns false, clone will be freed
> immediately. Shouldn't store a pointer to freed memory.
> 
> Signed-off-by: Christian Eggers <ceggers@arri.de>
> Fixes: 146d442c2357 ("net: dsa: Keep a pointer to the skb clone for TX timestamping")
> ---

IMO this is one of the cases to which the following from
Documentation/process/stable-kernel-rules.rst does not apply:

 - It must fix a real bug that bothers people (not a, "This could be a
   problem..." type thing).

Therefore, specifying "net-next" as the target tree here as opposed to
"net" is the correct choice.

Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Tested-by: Vladimir Oltean <olteanv@gmail.com>
Florian Fainelli Nov. 20, 2020, 6:17 p.m. UTC | #2 
On 11/19/20 3:09 AM, Christian Eggers wrote:
> If dsa_switch_ops::port_txtstamp() returns false, clone will be freed
> immediately. Shouldn't store a pointer to freed memory.
> 
> Signed-off-by: Christian Eggers <ceggers@arri.de>
> Fixes: 146d442c2357 ("net: dsa: Keep a pointer to the skb clone for TX timestamping")

Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Jakub Kicinski Nov. 20, 2020, 8:59 p.m. UTC | #3 
On Fri, 20 Nov 2020 20:01:49 +0200 Vladimir Oltean wrote:
> On Thu, Nov 19, 2020 at 12:09:06PM +0100, Christian Eggers wrote:
> > If dsa_switch_ops::port_txtstamp() returns false, clone will be freed
> > immediately. Shouldn't store a pointer to freed memory.
> > 
> > Signed-off-by: Christian Eggers <ceggers@arri.de>
> > Fixes: 146d442c2357 ("net: dsa: Keep a pointer to the skb clone for TX timestamping")
> > ---  
> 
> IMO this is one of the cases to which the following from
> Documentation/process/stable-kernel-rules.rst does not apply:
> 
>  - It must fix a real bug that bothers people (not a, "This could be a
>    problem..." type thing).
> 
> Therefore, specifying "net-next" as the target tree here as opposed to
> "net" is the correct choice.

The commit message doesn't really explain what happens after.

Is the dangling pointer ever accessed?
Vladimir Oltean Nov. 20, 2020, 9:04 p.m. UTC | #4 
On Fri, Nov 20, 2020 at 12:59:21PM -0800, Jakub Kicinski wrote:
> On Fri, 20 Nov 2020 20:01:49 +0200 Vladimir Oltean wrote:
> > On Thu, Nov 19, 2020 at 12:09:06PM +0100, Christian Eggers wrote:
> > > If dsa_switch_ops::port_txtstamp() returns false, clone will be freed
> > > immediately. Shouldn't store a pointer to freed memory.
> > >
> > > Signed-off-by: Christian Eggers <ceggers@arri.de>
> > > Fixes: 146d442c2357 ("net: dsa: Keep a pointer to the skb clone for TX timestamping")
> > > ---
> >
> > IMO this is one of the cases to which the following from
> > Documentation/process/stable-kernel-rules.rst does not apply:
> >
> >  - It must fix a real bug that bothers people (not a, "This could be a
> >    problem..." type thing).
> >
> > Therefore, specifying "net-next" as the target tree here as opposed to
> > "net" is the correct choice.
>
> The commit message doesn't really explain what happens after.
>
> Is the dangling pointer ever accessed?

Nothing happens afterwards. He explained that he accessed it once while
working on his ksz9477 PTP series. There's no code affected by this in
mainline.
Jakub Kicinski Nov. 20, 2020, 9:17 p.m. UTC | #5 
On Fri, 20 Nov 2020 23:04:36 +0200 Vladimir Oltean wrote:
> On Fri, Nov 20, 2020 at 12:59:21PM -0800, Jakub Kicinski wrote:
> > On Fri, 20 Nov 2020 20:01:49 +0200 Vladimir Oltean wrote:  
> > > On Thu, Nov 19, 2020 at 12:09:06PM +0100, Christian Eggers wrote:  
> > > > If dsa_switch_ops::port_txtstamp() returns false, clone will be freed
> > > > immediately. Shouldn't store a pointer to freed memory.
> > > >
> > > > Signed-off-by: Christian Eggers <ceggers@arri.de>
> > > > Fixes: 146d442c2357 ("net: dsa: Keep a pointer to the skb clone for TX timestamping")
> > > > ---  
> > >
> > > IMO this is one of the cases to which the following from
> > > Documentation/process/stable-kernel-rules.rst does not apply:
> > >
> > >  - It must fix a real bug that bothers people (not a, "This could be a
> > >    problem..." type thing).
> > >
> > > Therefore, specifying "net-next" as the target tree here as opposed to
> > > "net" is the correct choice.  
> >
> > The commit message doesn't really explain what happens after.
> >
> > Is the dangling pointer ever accessed?  
> 
> Nothing happens afterwards. He explained that he accessed it once while
> working on his ksz9477 PTP series. There's no code affected by this in
> mainline.

Ah, great, I'll drop the Fixes tag altogether then.
patchwork-bot+netdevbpf@kernel.org Nov. 20, 2020, 11:10 p.m. UTC | #6 
Hello:

This patch was applied to netdev/net-next.git (refs/heads/master):

On Thu, 19 Nov 2020 12:09:06 +0100 you wrote:
> If dsa_switch_ops::port_txtstamp() returns false, clone will be freed
> immediately. Shouldn't store a pointer to freed memory.
> 
> Signed-off-by: Christian Eggers <ceggers@arri.de>
> Fixes: 146d442c2357 ("net: dsa: Keep a pointer to the skb clone for TX timestamping")
> ---
> Changes since v1:
> - Fixed "Fixes:" tag (and configured my GIT)
> - Adjusted commit description
> 
> [...]

Here is the summary with links:
  - [net-next,v2] net: dsa: avoid potential use-after-free error
    https://git.kernel.org/netdev/net-next/c/30abc9cd9c6b

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
diff mbox series

Patch

diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index ff2266d2b998..7efc753e4d9d 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -522,10 +522,10 @@  static void dsa_skb_tx_timestamp(struct dsa_slave_priv *p,
 	if (!clone)
 		return;
 
-	DSA_SKB_CB(skb)->clone = clone;
-
-	if (ds->ops->port_txtstamp(ds, p->dp->index, clone, type))
+	if (ds->ops->port_txtstamp(ds, p->dp->index, clone, type)) {
+		DSA_SKB_CB(skb)->clone = clone;
 		return;
+	}
 
 	kfree_skb(clone);
 }