Re: [PATCH v3] myri10ge: fix an incorrect free for skb in myri10ge_sw_tso

From: Jakub Kicinski
Date: Wed Apr 06 2022 - 15:53:19 EST

Next message: Rob Herring: "Re: [PATCH v5 8/8] dt-bindings: net: dwmac-imx: Document clk_csr property"
Previous message: Chen-Yu Tsai: "[PATCH v2 4/4] drm/ssd130x: Add support for SINO WEALTH SH1106"
In reply to: patchwork-bot+netdevbpf: "Re: [PATCH v3] myri10ge: fix an incorrect free for skb in myri10ge_sw_tso"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 6 Apr 2022 11:55:56 +0800 Xiaomeng Tong wrote:
> All remaining skbs should be released when myri10ge_xmit fails to
> transmit a packet. Fix it within another skb_list_walk_safe.

I think it was also a UAF.

> diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
> index 50ac3ee2577a..21d2645885ce 100644
> --- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
> +++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
> @@ -2903,11 +2903,9 @@ static netdev_tx_t myri10ge_sw_tso(struct sk_buff *skb,
> status = myri10ge_xmit(curr, dev);
> if (status != 0) {
> dev_kfree_skb_any(curr);
> - if (segs != NULL) {
> - curr = segs;
> - segs = next;
> + skb_list_walk_safe(next, curr, next) {
> curr->next = NULL;
> - dev_kfree_skb_any(segs);
> + dev_kfree_skb_any(curr);
> }
> goto drop;
> }

Much better, thanks.

kfree_skb_list() exists but the patch was already applied, so whatever.

Next message: Rob Herring: "Re: [PATCH v5 8/8] dt-bindings: net: dwmac-imx: Document clk_csr property"
Previous message: Chen-Yu Tsai: "[PATCH v2 4/4] drm/ssd130x: Add support for SINO WEALTH SH1106"
In reply to: patchwork-bot+netdevbpf: "Re: [PATCH v3] myri10ge: fix an incorrect free for skb in myri10ge_sw_tso"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]