diff options
| author | Yunsheng Lin <linyunsheng@huawei.com> | 2019-12-05 10:12:28 +0800 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-12-05 14:42:43 -0800 |
| commit | d1a37dedcfcf2c01daff5281c3c378876a04e2f4 (patch) | |
| tree | 6feb0871314133d0fd9ba248e323775d69750b2f /.cocciconfig | |
| parent | 2a597eff2437d21841a1e87ffa536ab69dbffdcf (diff) | |
| download | linux-d1a37dedcfcf2c01daff5281c3c378876a04e2f4.tar.bz2 | |
net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx()
Currently, hns3_nic_maybe_stop_tx() uses skb_copy() to linearize a
SKB if the BD num required by the SKB does not meet the hardware
limitation, and it linearizes the SKB by allocating a new linearized SKB
and freeing the old SKB, if hns3_nic_maybe_stop_tx() returns -EBUSY
because there are no enough space in the ring to send the linearized
skb to hardware, the sch_direct_xmit() still hold reference to old SKB
and try to retransmit the old SKB when dev_hard_start_xmit() return
TX_BUSY, which may cause use after freed problem.
This patch fixes it by using __skb_linearize() to linearize the
SKB in hns3_nic_maybe_stop_tx().
Fixes: 51e8439f3496 ("net: hns3: add 8 BD limit for tx flow")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to '.cocciconfig')
0 files changed, 0 insertions, 0 deletions