| Message ID | 20220218152730.GA4299@kili (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net-next] net: dm9051: Fix use after free in dm9051_loop_tx() | expand |
On Fri, 18 Feb 2022 18:27:30 +0300 Dan Carpenter wrote: > This code dereferences "skb" after calling dev_kfree_skb(). > > Fixes: 2dc95a4d30ed ("net: Add dm9051 driver") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Thanks! Although.. > diff --git a/drivers/net/ethernet/davicom/dm9051.c b/drivers/net/ethernet/davicom/dm9051.c > index a63d17e669a0..f6b5d2becf5e 100644 > --- a/drivers/net/ethernet/davicom/dm9051.c > +++ b/drivers/net/ethernet/davicom/dm9051.c > @@ -850,13 +850,13 @@ static int dm9051_loop_tx(struct board_info *db) > if (skb) { > ntx++; > ret = dm9051_single_tx(db, skb->data, skb->len); > + ndev->stats.tx_bytes += skb->len; > + ndev->stats.tx_packets++; > dev_kfree_skb(skb); > if (ret < 0) { > db->bc.tx_err_counter++; > return 0; > } > - ndev->stats.tx_bytes += skb->len; > - ndev->stats.tx_packets++; I think the idea was (and it often is with this kind of bugs) to count only successful transmissions. Could you re-jig it a little to keep those semantics?
On Fri, Feb 18, 2022 at 09:07:12PM -0800, Jakub Kicinski wrote: > On Fri, 18 Feb 2022 18:27:30 +0300 Dan Carpenter wrote: > > This code dereferences "skb" after calling dev_kfree_skb(). > > > > Fixes: 2dc95a4d30ed ("net: Add dm9051 driver") > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > Thanks! Although.. > > > diff --git a/drivers/net/ethernet/davicom/dm9051.c b/drivers/net/ethernet/davicom/dm9051.c > > index a63d17e669a0..f6b5d2becf5e 100644 > > --- a/drivers/net/ethernet/davicom/dm9051.c > > +++ b/drivers/net/ethernet/davicom/dm9051.c > > @@ -850,13 +850,13 @@ static int dm9051_loop_tx(struct board_info *db) > > if (skb) { > > ntx++; > > ret = dm9051_single_tx(db, skb->data, skb->len); > > + ndev->stats.tx_bytes += skb->len; > > + ndev->stats.tx_packets++; > > dev_kfree_skb(skb); > > if (ret < 0) { > > db->bc.tx_err_counter++; > > return 0; > > } > > - ndev->stats.tx_bytes += skb->len; > > - ndev->stats.tx_packets++; > > I think the idea was (and it often is with this kind of bugs) > to count only successful transmissions. Could you re-jig it > a little to keep those semantics? Sure. Will resend. regards, dan carpenter
diff --git a/drivers/net/ethernet/davicom/dm9051.c b/drivers/net/ethernet/davicom/dm9051.c index a63d17e669a0..f6b5d2becf5e 100644 --- a/drivers/net/ethernet/davicom/dm9051.c +++ b/drivers/net/ethernet/davicom/dm9051.c @@ -850,13 +850,13 @@ static int dm9051_loop_tx(struct board_info *db) if (skb) { ntx++; ret = dm9051_single_tx(db, skb->data, skb->len); + ndev->stats.tx_bytes += skb->len; + ndev->stats.tx_packets++; dev_kfree_skb(skb); if (ret < 0) { db->bc.tx_err_counter++; return 0; } - ndev->stats.tx_bytes += skb->len; - ndev->stats.tx_packets++; } if (netif_queue_stopped(ndev) &&
This code dereferences "skb" after calling dev_kfree_skb(). Fixes: 2dc95a4d30ed ("net: Add dm9051 driver") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/net/ethernet/davicom/dm9051.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)