Home Home > GIT Browse > openSUSE-15.0
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-01-17 12:02:21 +0100
committerJiri Slaby <jslaby@suse.cz>2019-01-18 15:30:20 +0100
commit7ce5a63672cdad7bb85300ba9ad1ec5e0204e9bb (patch)
tree04fa88310b620ee8d042a1e9b7831a4ce7595364
parent40c5d6a3ff8a6bb6765eee9c2e59cba48e8fe451 (diff)
rapidio/rionet: do not free skb before reading its length
(networking-stable-18_12_03).
-rw-r--r--patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch36
-rw-r--r--series.conf1
2 files changed, 37 insertions, 0 deletions
diff --git a/patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch b/patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch
new file mode 100644
index 0000000000..dc507a5e13
--- /dev/null
+++ b/patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch
@@ -0,0 +1,36 @@
+From: Pan Bian <bianpan2016@163.com>
+Date: Wed, 28 Nov 2018 14:53:19 +0800
+Subject: rapidio/rionet: do not free skb before reading its length
+Git-commit: cfc435198f53a6fa1f656d98466b24967ff457d0
+Patch-mainline: v4.20-rc5
+References: networking-stable-18_12_03
+
+skb is freed via dev_kfree_skb_any, however, skb->len is read then. This
+may result in a use-after-free bug.
+
+Fixes: e6161d64263 ("rapidio/rionet: rework driver initialization and removal")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/rionet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/rionet.c b/drivers/net/rionet.c
+index e9f101c9bae2..bfbb39f93554 100644
+--- a/drivers/net/rionet.c
++++ b/drivers/net/rionet.c
+@@ -216,9 +216,9 @@ static int rionet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ * it just report sending a packet to the target
+ * (without actual packet transfer).
+ */
+- dev_kfree_skb_any(skb);
+ ndev->stats.tx_packets++;
+ ndev->stats.tx_bytes += skb->len;
++ dev_kfree_skb_any(skb);
+ }
+ }
+
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index 0f411eee23..137e63a15d 100644
--- a/series.conf
+++ b/series.conf
@@ -19406,6 +19406,7 @@
patches.suse/0003-Btrfs-send-fix-infinite-loop-due-to-directory-rename.patch
patches.fixes/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch
patches.suse/usbnet-ipheth-fix-potential-recvmsg-bug-and-recvmsg-.patch
+ patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch
patches.arch/s390-sles15-17-03-s390-qeth-fix-length-check-in-SNMP-processing.patch
patches.fixes/udf-Allow-mounting-volumes-with-incorrect-identifica.patch
patches.fixes/ext2-fix-potential-use-after-free.patch