From patchwork Wed Oct 27 05:21:07 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 69327 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 034E8B70D1 for ; Wed, 27 Oct 2010 16:21:22 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752181Ab0J0FVO (ORCPT ); Wed, 27 Oct 2010 01:21:14 -0400 Received: from mail-wy0-f174.google.com ([74.125.82.174]:51125 "EHLO mail-wy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751138Ab0J0FVM (ORCPT ); Wed, 27 Oct 2010 01:21:12 -0400 Received: by wyf28 with SMTP id 28so264744wyf.19 for ; Tue, 26 Oct 2010 22:21:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=FZzH0Eo0+LfgxnQ3++nstzBbFEiUXQEXQv/Luse7QlA=; b=oAjLbJJ1jsSSxZEnGGW0tjuqfMS4KvsVATb6ljfS3Cymz2m2bdZb1FayJyxt21zIvp VrCRhG+He8ZHUpyQE3crrRRnBpMNVwWiC10SMwwgGy4kfsrEyQmlbIb25DGEB7KOAHpd tsD+HgLbHTISvCvVd6XQjGJIimudsID7OxP9c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=HxUXusmoWi0U86bZmEstQYqPrCRb12CVQV9ESX/z9q97zQiSbsMqWEWVl5hei/fH5M jGNq2ringc5SGp3kMnnfjXQKGE/p/fDj6/OVJbYLPudBC3VUQQth0wyCD9aCeCs+Hfxs pRK0jrBVG3TTW+Yk2BVaC4Dqt7GvD+lNrpw60= Received: by 10.216.181.193 with SMTP id l43mr299059wem.78.1288156871003; Tue, 26 Oct 2010 22:21:11 -0700 (PDT) Received: from [192.168.1.21] (162.144.72-86.rev.gaoland.net [86.72.144.162]) by mx.google.com with ESMTPS id w8sm5596680wei.21.2010.10.26.22.21.09 (version=SSLv3 cipher=RC4-MD5); Tue, 26 Oct 2010 22:21:10 -0700 (PDT) Subject: [PATCH] ehea: fix use after free From: Eric Dumazet To: leitao@linux.vnet.ibm.com Cc: davem@davemloft.net, netdev@vger.kernel.org In-Reply-To: <1288118920.2652.4.camel@edumazet-laptop> References: <1288116213-11801-1-git-send-email-leitao@linux.vnet.ibm.com> <1288118920.2652.4.camel@edumazet-laptop> Date: Wed, 27 Oct 2010 07:21:07 +0200 Message-ID: <1288156867.2652.127.camel@edumazet-laptop> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Le mardi 26 octobre 2010 à 20:48 +0200, Eric Dumazet a écrit : > Note: driver already uses skb after its freeing, before your patch. > > if (vlan_tx_tag_present(skb)) { > swqe->tx_control |= EHEA_SWQE_VLAN_INSERT; > swqe->vlan_tag = vlan_tx_tag_get(skb); > } > Could you please test following patch ? Thanks [PATCH] ehea: fix use after free ehea_start_xmit() dereferences skb after its freeing in ehea_xmit3() to get vlan tags. Move the offending block before the potential ehea_xmit3() call. Signed-off-by: Eric Dumazet Signed-off-by: Breno Leitao --- drivers/net/ehea/ehea_main.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/net/ehea/ehea_main.c b/drivers/net/ehea/ehea_main.c index bb7d306..e59d386 100644 --- a/drivers/net/ehea/ehea_main.c +++ b/drivers/net/ehea/ehea_main.c @@ -2249,6 +2249,11 @@ static int ehea_start_xmit(struct sk_buff *skb, struct net_device *dev) memset(swqe, 0, SWQE_HEADER_SIZE); atomic_dec(&pr->swqe_avail); + if (vlan_tx_tag_present(skb)) { + swqe->tx_control |= EHEA_SWQE_VLAN_INSERT; + swqe->vlan_tag = vlan_tx_tag_get(skb); + } + if (skb->len <= SWQE3_MAX_IMM) { u32 sig_iv = port->sig_comp_iv; u32 swqe_num = pr->swqe_id_counter; @@ -2279,11 +2284,6 @@ static int ehea_start_xmit(struct sk_buff *skb, struct net_device *dev) } pr->swqe_id_counter += 1; - if (vlan_tx_tag_present(skb)) { - swqe->tx_control |= EHEA_SWQE_VLAN_INSERT; - swqe->vlan_tag = vlan_tx_tag_get(skb); - } - if (netif_msg_tx_queued(port)) { ehea_info("post swqe on QP %d", pr->qp->init_attr.qp_nr); ehea_dump(swqe, 512, "swqe");