summaryrefslogtreecommitdiff |
diff options
author | Jiri Slaby <jslaby@suse.cz> | 2019-01-17 12:02:21 +0100 |
---|---|---|
committer | Jiri Slaby <jslaby@suse.cz> | 2019-01-18 15:30:20 +0100 |
commit | 7ce5a63672cdad7bb85300ba9ad1ec5e0204e9bb (patch) | |
tree | 04fa88310b620ee8d042a1e9b7831a4ce7595364 | |
parent | 40c5d6a3ff8a6bb6765eee9c2e59cba48e8fe451 (diff) |
rapidio/rionet: do not free skb before reading its length
(networking-stable-18_12_03).
-rw-r--r-- | patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch | 36 | ||||
-rw-r--r-- | series.conf | 1 |
2 files changed, 37 insertions, 0 deletions
diff --git a/patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch b/patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch new file mode 100644 index 0000000000..dc507a5e13 --- /dev/null +++ b/patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch @@ -0,0 +1,36 @@ +From: Pan Bian <bianpan2016@163.com> +Date: Wed, 28 Nov 2018 14:53:19 +0800 +Subject: rapidio/rionet: do not free skb before reading its length +Git-commit: cfc435198f53a6fa1f656d98466b24967ff457d0 +Patch-mainline: v4.20-rc5 +References: networking-stable-18_12_03 + +skb is freed via dev_kfree_skb_any, however, skb->len is read then. This +may result in a use-after-free bug. + +Fixes: e6161d64263 ("rapidio/rionet: rework driver initialization and removal") +Signed-off-by: Pan Bian <bianpan2016@163.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/rionet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/rionet.c b/drivers/net/rionet.c +index e9f101c9bae2..bfbb39f93554 100644 +--- a/drivers/net/rionet.c ++++ b/drivers/net/rionet.c +@@ -216,9 +216,9 @@ static int rionet_start_xmit(struct sk_buff *skb, struct net_device *ndev) + * it just report sending a packet to the target + * (without actual packet transfer). + */ +- dev_kfree_skb_any(skb); + ndev->stats.tx_packets++; + ndev->stats.tx_bytes += skb->len; ++ dev_kfree_skb_any(skb); + } + } + +-- +2.20.1 + diff --git a/series.conf b/series.conf index 0f411eee23..137e63a15d 100644 --- a/series.conf +++ b/series.conf @@ -19406,6 +19406,7 @@ patches.suse/0003-Btrfs-send-fix-infinite-loop-due-to-directory-rename.patch patches.fixes/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch patches.suse/usbnet-ipheth-fix-potential-recvmsg-bug-and-recvmsg-.patch + patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch patches.arch/s390-sles15-17-03-s390-qeth-fix-length-check-in-SNMP-processing.patch patches.fixes/udf-Allow-mounting-volumes-with-incorrect-identifica.patch patches.fixes/ext2-fix-potential-use-after-free.patch |