[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACKFLimL-yWL8DHugNYgYMbCKLvKU5n=Ht-zYLOcNW7sa3=cwg@mail.gmail.com>
Date: Wed, 21 Sep 2022 14:15:23 -0700
From: Michael Chan <michael.chan@...adcom.com>
To: Andy Gospodarek <andrew.gospodarek@...adcom.com>
Cc: Jakub Kicinski <kuba@...nel.org>,
David Miller <davem@...emloft.net>,
Netdev <netdev@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>,
Pavan Chebbi <pavan.chebbi@...adcom.com>
Subject: Re: [PATCH net] bnxt: prevent skb UAF after handing over to PTP worker
On Wed, Sep 21, 2022 at 1:26 PM Andy Gospodarek
<andrew.gospodarek@...adcom.com> wrote:
>
> On Wed, Sep 21, 2022 at 01:10:05PM -0700, Jakub Kicinski wrote:
> > When reading the timestamp is required bnxt_tx_int() hands
> > over the ownership of the completed skb to the PTP worker.
> > The skb should not be used afterwards, as the worker may
> > run before the rest of our code and free the skb, leading
> > to a use-after-free.
> >
> > Since dev_kfree_skb_any() accepts NULL make the loss of
> > ownership more obvious and set skb to NULL.
> >
> > Fixes: 83bb623c968e ("bnxt_en: Transmit and retrieve packet timestamps")
> > Signed-off-by: Jakub Kicinski <kuba@...nel.org>
>
> In general this looks good to me. Let's make sure Pavan and Michael
> also agree. Thanks for the patch!
>
> Reviewed-by: Andy Gospodarek <gospo@...adcom.com>
Thanks for catching this.
Reviewed-by: Michael Chan <michael.chan@...adcom.com>
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4209 bytes)
Powered by blists - more mailing lists