All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH net-next v2] net: qualcomm: rmnet: Fix use after free while sending command ack
@ 2018-06-05  1:43 Subash Abhinov Kasiviswanathan
  2018-06-05 14:17 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Subash Abhinov Kasiviswanathan @ 2018-06-05  1:43 UTC (permalink / raw)
  To: davem, netdev; +Cc: Subash Abhinov Kasiviswanathan

When sending an ack to a command packet, the skb is still referenced
after it is sent to the real device. Since the real device could
free the skb, the device pointer would be invalid.
Also, remove an unnecessary variable.

Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>

---
v1->v2: Rebase change on net-next instead as mentioned by David.
Also remove an unnecessary variable.
---
 drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c
index 56a93df..3ee8ae9 100644
--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c
+++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c
@@ -67,7 +67,7 @@ static void rmnet_map_send_ack(struct sk_buff *skb,
 			       struct rmnet_port *port)
 {
 	struct rmnet_map_control_command *cmd;
-	int xmit_status;
+	struct net_device *dev = skb->dev;
 
 	if (port->data_format & RMNET_FLAGS_INGRESS_MAP_CKSUMV4)
 		skb_trim(skb,
@@ -78,9 +78,9 @@ static void rmnet_map_send_ack(struct sk_buff *skb,
 	cmd = RMNET_MAP_GET_CMD_START(skb);
 	cmd->cmd_type = type & 0x03;
 
-	netif_tx_lock(skb->dev);
-	xmit_status = skb->dev->netdev_ops->ndo_start_xmit(skb, skb->dev);
-	netif_tx_unlock(skb->dev);
+	netif_tx_lock(dev);
+	dev->netdev_ops->ndo_start_xmit(skb, dev);
+	netif_tx_unlock(dev);
 }
 
 /* Process MAP command frame and send N/ACK message as appropriate. Message cmd
-- 
1.9.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH net-next v2] net: qualcomm: rmnet: Fix use after free while sending command ack
  2018-06-05  1:43 [PATCH net-next v2] net: qualcomm: rmnet: Fix use after free while sending command ack Subash Abhinov Kasiviswanathan
@ 2018-06-05 14:17 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2018-06-05 14:17 UTC (permalink / raw)
  To: subashab; +Cc: netdev

From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Date: Mon,  4 Jun 2018 19:43:38 -0600

> When sending an ack to a command packet, the skb is still referenced
> after it is sent to the real device. Since the real device could
> free the skb, the device pointer would be invalid.
> Also, remove an unnecessary variable.
> 
> Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
> Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>

Applied.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-06-05 14:17 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-05  1:43 [PATCH net-next v2] net: qualcomm: rmnet: Fix use after free while sending command ack Subash Abhinov Kasiviswanathan
2018-06-05 14:17 ` David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.