From patchwork Fri Dec 26 22:44:01 2008
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Herbert Xu <herbert@gondor.apana.org.au>
X-Patchwork-Id: 15742
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id 5E973DDD1B
	for <patchwork-incoming@ozlabs.org>;
	Sat, 27 Dec 2008 12:32:02 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752185AbYLZWoJ (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 26 Dec 2008 17:44:09 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751977AbYLZWoH
	(ORCPT <rfc822; netdev-outgoing>); Fri, 26 Dec 2008 17:44:07 -0500
Received: from rhun.apana.org.au ([64.62.148.172]:35575 "EHLO
	arnor.apana.org.au" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
	with ESMTP id S1751919AbYLZWoG (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 26 Dec 2008 17:44:06 -0500
Received: from gondolin.me.apana.org.au ([192.168.0.6])
	by arnor.apana.org.au with esmtp (Exim 4.63 #1 (Debian))
	id 1LGLPW-0001Qn-VQ; Sat, 27 Dec 2008 09:44:03 +1100
Received: from herbert by gondolin.me.apana.org.au with local (Exim 4.69)
	(envelope-from <herbert@gondor.apana.org.au>)
	id 1LGLPV-0005oS-IP; Sat, 27 Dec 2008 09:44:01 +1100
Date: Sat, 27 Dec 2008 09:44:01 +1100
From: Herbert Xu <herbert@gondor.apana.org.au>
To: "David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org
Subject: gro: Fix potential use after free
Message-ID: <20081226224401.GA22329@gondor.apana.org.au>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Hi Dave:

While implementing GRO support for page frags, I found a little bug
in the original code.

gro: Fix potential use after free

The initial skb may have been freed after napi_gro_complete in
napi_gro_receive if it was merged into an existing packet.  Thus
we cannot check same_flow (which indicates whether it was merged)
after calling napi_gro_complete.

This patch fixes this by saving the same_flow status before the
call to napi_gro_complete.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>


Thanks,

diff --git a/net/core/dev.c b/net/core/dev.c
index daca72e..9d60941 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2390,6 +2390,7 @@ int napi_gro_receive(struct napi_struct *napi, struct sk_buff *skb)
 	__be16 type = skb->protocol;
 	struct list_head *head = &ptype_base[ntohs(type) & PTYPE_HASH_MASK];
 	int count = 0;
+	int same_flow;
 	int mac_len;
 
 	if (!(skb->dev->features & NETIF_F_GRO))
@@ -2425,6 +2426,8 @@ int napi_gro_receive(struct napi_struct *napi, struct sk_buff *skb)
 	if (&ptype->list == head)
 		goto normal;
 
+	same_flow = NAPI_GRO_CB(skb)->same_flow;
+
 	if (pp) {
 		struct sk_buff *nskb = *pp;
 
@@ -2434,7 +2437,7 @@ int napi_gro_receive(struct napi_struct *napi, struct sk_buff *skb)
 		count--;
 	}
 
-	if (NAPI_GRO_CB(skb)->same_flow)
+	if (same_flow)
 		goto ok;
 
 	if (NAPI_GRO_CB(skb)->flush || count >= MAX_GRO_SKBS) {