All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kristian Evensen <kristian.evensen@gmail.com>
To: bjorn@mork.no, netdev@vger.kernel.org, subashab@codeaurora.org
Cc: Kristian Evensen <kristian.evensen@gmail.com>
Subject: [PATCH net] qmi_wwan: Clone the skb when in pass-through mode
Date: Mon, 14 Jun 2021 16:18:49 +0200	[thread overview]
Message-ID: <20210614141849.3587683-1-kristian.evensen@gmail.com> (raw)

The skb that we pass to the rmnet driver is owned by usbnet and is freed
soon after the rx_fixup() callback is called (in usbnet_bh()).  There is
no guarantee that rmnet is done handling the skb before it is freed. We
should clone the skb before we call netif_rx() to prevent use-after-free
and misc. kernel oops.

Fixes: 59e139cf0b32 ("net: qmi_wwan: Add pass through mode")

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
---
 drivers/net/usb/qmi_wwan.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index db8d3a4f2678..5ac307eb0bfd 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -620,6 +620,10 @@ static int qmi_wwan_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
 		return qmimux_rx_fixup(dev, skb);
 
 	if (info->flags & QMI_WWAN_FLAG_PASS_THROUGH) {
+		skb = skb_clone(skb, GFP_ATOMIC);
+		if (!skb)
+			return 0;
+
 		skb->protocol = htons(ETH_P_MAP);
 		return (netif_rx(skb) == NET_RX_SUCCESS);
 	}
-- 
2.25.1


             reply	other threads:[~2021-06-14 14:19 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-14 14:18 Kristian Evensen [this message]
2021-06-14 14:45 ` [PATCH net] qmi_wwan: Clone the skb when in pass-through mode Bjørn Mork
2021-06-14 15:49   ` Kristian Evensen
2021-06-14 17:02     ` Kristian Evensen
2021-06-14 20:05   ` Jakub Kicinski
2021-06-15  6:24     ` Bjørn Mork
2021-06-15  9:03     ` Kristian Evensen
2021-06-15 10:04       ` Bjørn Mork
2021-06-15 10:51         ` Kristian Evensen
2021-06-15 11:04           ` Kristian Evensen
2021-06-15 13:39             ` Bjørn Mork
2021-06-15 19:26               ` Jakub Kicinski
2021-06-15 19:27                 ` Jakub Kicinski
2021-06-16 10:08                 ` Kristian Evensen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210614141849.3587683-1-kristian.evensen@gmail.com \
    --to=kristian.evensen@gmail.com \
    --cc=bjorn@mork.no \
    --cc=netdev@vger.kernel.org \
    --cc=subashab@codeaurora.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.