Message ID | 20210329115002.8557-1-lyl2019@mail.ustc.edu.cn |
---|---|
State | New |
Headers | show |
Series | ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx | expand |
On Mon, 29 Mar 2021 04:50:02 -0700 Lv Yunlong wrote: > In nfp_bpf_ctrl_msg_rx, if > nfp_ccm_get_type(skb) == NFP_CCM_TYPE_BPF_BPF_EVENT is true, the skb > will be freed. But the skb is still used by nfp_ccm_rx(&bpf->ccm, skb). > > My patch adds a return when the skb was freed. > > Fixes: bcf0cafab44fd ("nfp: split out common control message handling code") > Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Mon, 29 Mar 2021 04:50:02 -0700 you wrote: > In nfp_bpf_ctrl_msg_rx, if > nfp_ccm_get_type(skb) == NFP_CCM_TYPE_BPF_BPF_EVENT is true, the skb > will be freed. But the skb is still used by nfp_ccm_rx(&bpf->ccm, skb). > > My patch adds a return when the skb was freed. > > Fixes: bcf0cafab44fd ("nfp: split out common control message handling code") > Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> > > [...] Here is the summary with links: - ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx https://git.kernel.org/netdev/net/c/6e5a03bcba44 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c b/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c index 0e2db6ea79e9..2ec62c8d86e1 100644 --- a/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c +++ b/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c @@ -454,6 +454,7 @@ void nfp_bpf_ctrl_msg_rx(struct nfp_app *app, struct sk_buff *skb) dev_consume_skb_any(skb); else dev_kfree_skb_any(skb); + return; } nfp_ccm_rx(&bpf->ccm, skb);
In nfp_bpf_ctrl_msg_rx, if nfp_ccm_get_type(skb) == NFP_CCM_TYPE_BPF_BPF_EVENT is true, the skb will be freed. But the skb is still used by nfp_ccm_rx(&bpf->ccm, skb). My patch adds a return when the skb was freed. Fixes: bcf0cafab44fd ("nfp: split out common control message handling code") Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> --- drivers/net/ethernet/netronome/nfp/bpf/cmsg.c | 1 + 1 file changed, 1 insertion(+)