From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
To: skashyap@marvell.com, jhasan@marvell.com,
GR-QLogic-Storage-Upstream@marvell.com, jejb@linux.ibm.com,
martin.petersen@oracle.com, mlombard@redhat.com
Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Subject: [PATCH] scsi/bnx2fc/bnx2fx_fcore: Fix a double free in bnx2fc_rcv
Date: Mon, 24 May 2021 03:23:20 -0700 [thread overview]
Message-ID: <20210524102320.10122-1-lyl2019@mail.ustc.edu.cn> (raw)
In bnx2fc_rcv, it calls skb_share_check(skb,GFP_ATOMIC) to clone
the skb. But if skb_clone() failed, skb_share_check() will free
the skb in the first time and return NULL. Then skb_share_check()
returns NULL and goto err.
Unfortunately, the same skb is freed in the second time in the err.
As kfree_skb() free a null pointer is a safe operation, my patch
put "skb = tmp_skb;" ahead of the "if(!tmp_skb) goto err;". So that
if skb_share_check() failed, skb will be a null pointer.
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
---
drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
index 8863a74e6c57..89c277cb93b2 100644
--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
@@ -445,11 +445,10 @@ static int bnx2fc_rcv(struct sk_buff *skb, struct net_device *dev,
}
tmp_skb = skb_share_check(skb, GFP_ATOMIC);
+ skb = tmp_skb;
if (!tmp_skb)
goto err;
- skb = tmp_skb;
-
if (unlikely(eth_hdr(skb)->h_proto != htons(ETH_P_FCOE))) {
printk(KERN_ERR PFX "bnx2fc_rcv: Wrong FC type frame\n");
goto err;
--
2.25.1
next reply other threads:[~2021-05-24 10:23 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-24 10:23 Lv Yunlong [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-03-28 8:16 [PATCH] scsi/bnx2fc/bnx2fx_fcore: Fix a double free in bnx2fc_rcv Lv Yunlong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210524102320.10122-1-lyl2019@mail.ustc.edu.cn \
--to=lyl2019@mail.ustc.edu.cn \
--cc=GR-QLogic-Storage-Upstream@marvell.com \
--cc=jejb@linux.ibm.com \
--cc=jhasan@marvell.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mlombard@redhat.com \
--cc=skashyap@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.