From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751738AbeAYXgg (ORCPT ); Thu, 25 Jan 2018 18:36:36 -0500 Received: from mx1.redhat.com ([209.132.183.28]:43196 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751707AbeAYXgc (ORCPT ); Thu, 25 Jan 2018 18:36:32 -0500 Date: Fri, 26 Jan 2018 01:36:31 +0200 From: "Michael S. Tsirkin" To: linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org, Jason Wang , John Fastabend , David Miller Subject: [PATCH net-next 04/12] tap: fix use-after-free Message-ID: <1516923320-16959-5-git-send-email-mst@redhat.com> References: <1516923320-16959-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1516923320-16959-1-git-send-email-mst@redhat.com> X-Mutt-Fcc: =sent Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Lockless access to __ptr_ring_full is only legal if ring is never resized, otherwise it might cause use-after free errors. Simply drop the lockless test, we'll drop the packet a bit later when produce fails. Fixes: 362899b8 ("macvtap: switch to use skb array") Signed-off-by: Michael S. Tsirkin --- drivers/net/tap.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/net/tap.c b/drivers/net/tap.c index 7c38659..7787269 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -330,9 +330,6 @@ rx_handler_result_t tap_handle_frame(struct sk_buff **pskb) if (!q) return RX_HANDLER_PASS; - if (__ptr_ring_full(&q->ring)) - goto drop; - skb_push(skb, ETH_HLEN); /* Apply the forward feature mask so that we perform segmentation -- MST