diff mbox series

[net-next] net: ethernet: SP7021: fix a use after free of skb->len

Message ID YoUuy4iTjFAcSn03@kili (mailing list archive)
State Accepted
Commit df98714e432abf5cbdac3e4c1a13f94c65ddb8d3
Delegated to: Netdev Maintainers
Headers show
Series [net-next] net: ethernet: SP7021: fix a use after free of skb->len | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 19 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Dan Carpenter May 18, 2022, 5:37 p.m. UTC 
The netif_receive_skb() function frees "skb" so store skb->len before
it is freed.

Fixes: fd3040b9394c ("net: ethernet: Add driver for Sunplus SP7021")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/net/ethernet/sunplus/spl2sw_int.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

呂芳騰 May 19, 2022, 2:23 p.m. UTC | #1 
Hi Dan,

> The netif_receive_skb() function frees "skb" so store skb->len before
> it is freed.
>
> Fixes: fd3040b9394c ("net: ethernet: Add driver for Sunplus SP7021")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/net/ethernet/sunplus/spl2sw_int.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/sunplus/spl2sw_int.c b/drivers/net/ethernet/sunplus/spl2sw_int.c
> index 69b1e2e0271e..a37c9a4c281f 100644
> --- a/drivers/net/ethernet/sunplus/spl2sw_int.c
> +++ b/drivers/net/ethernet/sunplus/spl2sw_int.c
> @@ -29,6 +29,7 @@ int spl2sw_rx_poll(struct napi_struct *napi, int budget)
>         u32 mask;
>         int port;
>         u32 cmd;
> +       u32 len;
>
>         /* Process high-priority queue and then low-priority queue. */
>         for (queue = 0; queue < RX_DESC_QUEUE_NUM; queue++) {
> @@ -63,10 +64,11 @@ int spl2sw_rx_poll(struct napi_struct *napi, int budget)
>                         skb_put(skb, pkg_len - 4); /* Minus FCS */
>                         skb->ip_summed = CHECKSUM_NONE;
>                         skb->protocol = eth_type_trans(skb, comm->ndev[port]);
> +                       len = skb->len;
>                         netif_receive_skb(skb);
>
>                         stats->rx_packets++;
> -                       stats->rx_bytes += skb->len;
> +                       stats->rx_bytes += len;
>
>                         /* Allocate a new skb for receiving. */
>                         new_skb = netdev_alloc_skb(NULL, comm->rx_desc_buff_size);
> --
> 2.35.1
>

Thanks a lot for fixing the bug.

Can we just move the statement "stats->rx_bytes += skb->len;" to
before free skb?
For example,

skb_put(skb, pkg_len - 4); /* Minus FCS */
skb->ip_summed = CHECKSUM_NONE;
skb->protocol = eth_type_trans(skb, comm->ndev[port]);
stats->rx_packets++;
stats->rx_bytes += skb->len;
netif_receive_skb(skb);

/* Allocate a new skb for receiving. */
new_skb = netdev_alloc_skb(NULL, comm->rx_desc_buff_size);

Best regards,
Wells
patchwork-bot+netdevbpf@kernel.org May 20, 2022, 1 a.m. UTC | #2 
Hello:

This patch was applied to netdev/net-next.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 18 May 2022 20:37:15 +0300 you wrote:
> The netif_receive_skb() function frees "skb" so store skb->len before
> it is freed.
> 
> Fixes: fd3040b9394c ("net: ethernet: Add driver for Sunplus SP7021")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/net/ethernet/sunplus/spl2sw_int.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)

Here is the summary with links:
  - [net-next] net: ethernet: SP7021: fix a use after free of skb->len
    https://git.kernel.org/netdev/net-next/c/df98714e432a

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/net/ethernet/sunplus/spl2sw_int.c b/drivers/net/ethernet/sunplus/spl2sw_int.c
index 69b1e2e0271e..a37c9a4c281f 100644
--- a/drivers/net/ethernet/sunplus/spl2sw_int.c
+++ b/drivers/net/ethernet/sunplus/spl2sw_int.c
@@ -29,6 +29,7 @@  int spl2sw_rx_poll(struct napi_struct *napi, int budget)
 	u32 mask;
 	int port;
 	u32 cmd;
+	u32 len;
 
 	/* Process high-priority queue and then low-priority queue. */
 	for (queue = 0; queue < RX_DESC_QUEUE_NUM; queue++) {
@@ -63,10 +64,11 @@  int spl2sw_rx_poll(struct napi_struct *napi, int budget)
 			skb_put(skb, pkg_len - 4); /* Minus FCS */
 			skb->ip_summed = CHECKSUM_NONE;
 			skb->protocol = eth_type_trans(skb, comm->ndev[port]);
+			len = skb->len;
 			netif_receive_skb(skb);
 
 			stats->rx_packets++;
-			stats->rx_bytes += skb->len;
+			stats->rx_bytes += len;
 
 			/* Allocate a new skb for receiving. */
 			new_skb = netdev_alloc_skb(NULL, comm->rx_desc_buff_size);