From patchwork Sun Jun  3 22:17:55 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Subash Abhinov Kasiviswanathan
 <subashab@codeaurora.org>
X-Patchwork-Id: 924768
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=codeaurora.org
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	unprotected) header.d=codeaurora.org header.i=@codeaurora.org
	header.b="KQlaqfuE";
	dkim=pass (1024-bit key) header.d=codeaurora.org
	header.i=@codeaurora.org header.b="KQlaqfuE";
	dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40zXX669JWz9ry1
	for <patchwork-incoming-netdev@ozlabs.org>;
	Mon,  4 Jun 2018 08:18:30 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751461AbeFCWSY (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Sun, 3 Jun 2018 18:18:24 -0400
Received: from smtp.codeaurora.org ([198.145.29.96]:47342 "EHLO
	smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751210AbeFCWSY (ORCPT
	<rfc822;netdev@vger.kernel.org>); Sun, 3 Jun 2018 18:18:24 -0400
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
	id 995AD60224; Sun,  3 Jun 2018 22:18:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1528064303;
	bh=GXF/t+4w/hSHCNyR1vy5ZGlAxF3otqUBcTlz/2tIs7s=;
	h=From:To:Cc:Subject:Date:From;
	b=KQlaqfuEF7h7JPQrYUsbbrnynafEkVQmZAyxAlsw/SYEgrSOm4E3b/FdmsXIA5o12
	c/jYII1Zjtk4YLUYwSIXPWyv2m2tH/51E6gYSwBbf810XcOG7fxB/OUTy8if0KWfD+
	pGjm1K96Xw9fl6sRu66NzKPCaf/fgeoDf5LHidIE=
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	pdx-caf-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00,
	DKIM_SIGNED,
	T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0
Received: from subashab-lnx.qualcomm.com (unknown [129.46.15.92])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: subashab@codeaurora.org)
	by smtp.codeaurora.org (Postfix) with ESMTPSA id B82B160224;
	Sun,  3 Jun 2018 22:18:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1528064303;
	bh=GXF/t+4w/hSHCNyR1vy5ZGlAxF3otqUBcTlz/2tIs7s=;
	h=From:To:Cc:Subject:Date:From;
	b=KQlaqfuEF7h7JPQrYUsbbrnynafEkVQmZAyxAlsw/SYEgrSOm4E3b/FdmsXIA5o12
	c/jYII1Zjtk4YLUYwSIXPWyv2m2tH/51E6gYSwBbf810XcOG7fxB/OUTy8if0KWfD+
	pGjm1K96Xw9fl6sRu66NzKPCaf/fgeoDf5LHidIE=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org B82B160224
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	dmarc=none (p=none dis=none)
	header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	spf=none smtp.mailfrom=subashab@codeaurora.org
From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
To: davem@davemloft.net, netdev@vger.kernel.org
Cc: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Subject: [PATCH net] net: qualcomm: rmnet: Fix use after free while sending
	command ack
Date: Sun,  3 Jun 2018 16:17:55 -0600
Message-Id: <1528064275-3205-1-git-send-email-subashab@codeaurora.org>
X-Mailer: git-send-email 1.9.1
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

When sending an ack to a command packet, the skb is still referenced
after it is sent to the real device. Since the real device could
free the skb, the device pointer would be invalid.

Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
---
 drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c
index 78fdad0..f530b07 100644
--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c
+++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c
@@ -67,6 +67,7 @@ static void rmnet_map_send_ack(struct sk_buff *skb,
 			       struct rmnet_port *port)
 {
 	struct rmnet_map_control_command *cmd;
+	struct net_device *dev = skb->dev;
 	int xmit_status;
 
 	if (port->data_format & RMNET_FLAGS_INGRESS_MAP_CKSUMV4) {
@@ -86,9 +87,9 @@ static void rmnet_map_send_ack(struct sk_buff *skb,
 	cmd = RMNET_MAP_GET_CMD_START(skb);
 	cmd->cmd_type = type & 0x03;
 
-	netif_tx_lock(skb->dev);
-	xmit_status = skb->dev->netdev_ops->ndo_start_xmit(skb, skb->dev);
-	netif_tx_unlock(skb->dev);
+	netif_tx_lock(dev);
+	xmit_status = dev->netdev_ops->ndo_start_xmit(skb, dev);
+	netif_tx_unlock(dev);
 }
 
 /* Process MAP command frame and send N/ACK message as appropriate. Message cmd