{"id":811485,"url":"http://patchwork.ozlabs.org/api/1.2/patches/811485/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/patch/20170908102356.tzysh6qaiesd2umz@mwanda/","project":{"id":7,"url":"http://patchwork.ozlabs.org/api/1.2/projects/7/?format=json","name":"Linux network development","link_name":"netdev","list_id":"netdev.vger.kernel.org","list_email":"netdev@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20170908102356.tzysh6qaiesd2umz@mwanda>","list_archive_url":null,"date":"2017-09-08T10:23:57","name":"[net] net: qualcomm: rmnet: Fix a double free","commit_ref":null,"pull_url":null,"state":"changes-requested","archived":true,"hash":"e9c5c5627532916fb919422dce7c0d3780e91aeb","submitter":{"id":9327,"url":"http://patchwork.ozlabs.org/api/1.2/people/9327/?format=json","name":"Dan Carpenter","email":"dan.carpenter@oracle.com"},"delegate":{"id":34,"url":"http://patchwork.ozlabs.org/api/1.2/users/34/?format=json","username":"davem","first_name":"David","last_name":"Miller","email":"davem@davemloft.net"},"mbox":"http://patchwork.ozlabs.org/project/netdev/patch/20170908102356.tzysh6qaiesd2umz@mwanda/mbox/","series":[{"id":2175,"url":"http://patchwork.ozlabs.org/api/1.2/series/2175/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/list/?series=2175","date":"2017-09-08T10:23:57","name":"[net] net: qualcomm: rmnet: Fix a double free","version":1,"mbox":"http://patchwork.ozlabs.org/series/2175/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/811485/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/811485/checks/","tags":{},"related":[],"headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xpYMz59Ftz9s3T\n\tfor <patchwork-incoming@ozlabs.org>;\n\tFri,  8 Sep 2017 20:24:31 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1752434AbdIHKYZ (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tFri, 8 Sep 2017 06:24:25 -0400","from userp1040.oracle.com ([156.151.31.81]:27227 \"EHLO\n\tuserp1040.oracle.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751548AbdIHKYY (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Fri, 8 Sep 2017 06:24:24 -0400","from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234])\n\tby userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2)\n\twith ESMTP id v88AOImb022291\n\t(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256\n\tverify=OK); Fri, 8 Sep 2017 10:24:19 GMT","from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235])\n\tby aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id\n\tv88AOIoN016904\n\t(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256\n\tverify=OK); Fri, 8 Sep 2017 10:24:18 GMT","from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25])\n\tby aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id\n\tv88AOIX8001756; Fri, 8 Sep 2017 10:24:18 GMT","from mwanda (/41.210.145.102)\n\tby default (Oracle Beehive Gateway v4.0)\n\twith ESMTP ; Fri, 08 Sep 2017 03:24:15 -0700"],"Date":"Fri, 8 Sep 2017 13:23:57 +0300","From":"Dan Carpenter <dan.carpenter@oracle.com>","To":"Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>","Cc":"\"David S. Miller\" <davem@davemloft.net>, netdev@vger.kernel.org,\n\tkernel-janitors@vger.kernel.org","Subject":"[PATCH net] net: qualcomm: rmnet: Fix a double free","Message-ID":"<20170908102356.tzysh6qaiesd2umz@mwanda>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","X-Mailer":"git-send-email haha only kidding","User-Agent":"NeoMutt/20170609 (1.8.3)","X-Source-IP":"aserv0022.oracle.com [141.146.126.234]","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"},"content":"This is called from rmnet_map_ingress_handler().  When the\nrmnet_map_deaggregate() returns NULL then the caller calls\nconsume_skb(skb) which frees the skb.  The kfree_skb() on this error\npath leads to a double free.\n\nFixes: ceed73a2cf4a (\"drivers: net: ethernet: qualcomm: rmnet: Initial implementation\")\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\n---\nThis is from static analysis and not tested.","diff":"diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_data.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_data.c\nindex 557c9bf1a469..0335fce54201 100644\n--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_data.c\n+++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_data.c\n@@ -95,10 +95,8 @@ struct sk_buff *rmnet_map_deaggregate(struct sk_buff *skb)\n \tskb_pull(skb, packet_len);\n \n \t/* Some hardware can send us empty frames. Catch them */\n-\tif (ntohs(maph->pkt_len) == 0) {\n-\t\tkfree_skb(skb);\n+\tif (ntohs(maph->pkt_len) == 0)\n \t\treturn NULL;\n-\t}\n \n \treturn skbn;\n }\n","prefixes":["net"]}