lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Dec 2013 13:05:06 -0500 (EST) From: David Miller <davem@...emloft.net> To: eric.dumazet@...il.com Cc: netdev@...r.kernel.org, Alexey.Brodkin@...opsys.com, richardcochran@...il.com Subject: Re: [PATCH v2] arc_emac: fix potential use after free From: Eric Dumazet <eric.dumazet@...il.com> Date: Thu, 19 Dec 2013 18:10:40 -0800 > Signed-off-by: Eric Dumazet <edumazet@...gle.com> > > skb_tx_timestamp(skb) should be called _before_ TX completion > has a chance to trigger, otherwise it is too late and we access > freed memory. > > Fixes: e4f2379db6c6 ("ethernet/arc/arc_emac - Add new driver") > From: Eric Dumazet <edumazet@...gle.com> > Cc: Alexey Brodkin <Alexey.Brodkin@...opsys.com> > Cc: Richard Cochran <richardcochran@...il.com> Applied, thanks. I've seen this bug enough times that I've expanded the comment a bit more. ==================== [PATCH] net: Add some clarification to skb_tx_timestamp() comment. We've seen so many instances of people invoking skb_tx_timestamp() after the device already has been given the packet, that it's worth being a little bit more verbose and explicit in this comment. Signed-off-by: David S. Miller <davem@...emloft.net> --- include/linux/skbuff.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 6aae838..6f69b3f 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -2531,6 +2531,10 @@ static inline void sw_tx_timestamp(struct sk_buff *skb) * Ethernet MAC Drivers should call this function in their hard_xmit() * function immediately before giving the sk_buff to the MAC hardware. * + * Specifically, one should make absolutely sure that this function is + * called before TX completion of this packet can trigger. Otherwise + * the packet could potentially already be freed. + * * @skb: A socket buffer. */ static inline void skb_tx_timestamp(struct sk_buff *skb) -- 1.7.11.7 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists