diff mbox

[next,S61,03/10] i40e/i40evf: Fix use after free in Rx cleanup path

Message ID 1487721348-25617-4-git-send-email-bimmy.pujari@intel.com
State Accepted
Delegated to: Jeff Kirsher
Headers show

Commit Message

Pujari, Bimmy Feb. 21, 2017, 11:55 p.m. UTC 
From: Alexander Duyck <alexander.h.duyck@intel.com>

We need to reset skb back to NULL when we have freed it in the Rx cleanup
path.  I found one spot where this wasn't occurring so this patch fixes it.

Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Change-ID: Iaca68934200732cd4a63eb0bd83b539c95f8c4dd
---
Testing Hints:
        The "Fixes" commit ID will need to be updated before this is pushed
        upstream.  Ideally this patch can be dropped if the patch that
        introduced the bug has not yet made it upstream, and this fix can
        be taken care of there.

 drivers/net/ethernet/intel/i40e/i40e_txrx.c   | 1 +
 drivers/net/ethernet/intel/i40evf/i40e_txrx.c | 1 +
 2 files changed, 2 insertions(+)

Comments

Bowers, AndrewX March 8, 2017, 6:55 p.m. UTC | #1 
> -----Original Message-----
> From: Intel-wired-lan [mailto:intel-wired-lan-bounces@lists.osuosl.org] On
> Behalf Of Bimmy Pujari
> Sent: Tuesday, February 21, 2017 3:56 PM
> To: intel-wired-lan@lists.osuosl.org
> Subject: [Intel-wired-lan] [next PATCH S61 03/10] i40e/i40evf: Fix use after
> free in Rx cleanup path
> 
> From: Alexander Duyck <alexander.h.duyck@intel.com>
> 
> We need to reset skb back to NULL when we have freed it in the Rx cleanup
> path.  I found one spot where this wasn't occurring so this patch fixes it.
> 
> Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
> Change-ID: Iaca68934200732cd4a63eb0bd83b539c95f8c4dd
> ---
> Testing Hints:
>         The "Fixes" commit ID will need to be updated before this is pushed
>         upstream.  Ideally this patch can be dropped if the patch that
>         introduced the bug has not yet made it upstream, and this fix can
>         be taken care of there.
> 
>  drivers/net/ethernet/intel/i40e/i40e_txrx.c   | 1 +
>  drivers/net/ethernet/intel/i40evf/i40e_txrx.c | 1 +
>  2 files changed, 2 insertions(+)

Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
diff mbox

Patch

diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
index f80c76c..558d7da 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
@@ -2183,6 +2183,7 @@  static int i40e_clean_rx_irq(struct i40e_ring *rx_ring, int budget)
 		 */
 		if (unlikely(i40e_test_staterr(rx_desc, BIT(I40E_RXD_QW1_ERROR_SHIFT)))) {
 			dev_kfree_skb_any(skb);
+			skb = NULL;
 			continue;
 		}
 
diff --git a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
index 39e2e73..9b9314a 100644
--- a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
+++ b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
@@ -1299,6 +1299,7 @@  static int i40e_clean_rx_irq(struct i40e_ring *rx_ring, int budget)
 		 */
 		if (unlikely(i40e_test_staterr(rx_desc, BIT(I40E_RXD_QW1_ERROR_SHIFT)))) {
 			dev_kfree_skb_any(skb);
+			skb = NULL;
 			continue;
 		}