ehea: fix use after free · tjh.dev/kernel@e5ccd96

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

ehea: fix use after free

ehea_start_xmit() dereferences skb after its freeing in ehea_xmit3() to
get vlan tags.

Move the offending block before the potential ehea_xmit3() call.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Breno Leitao <leitao@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Eric Dumazet and committed by

David S. Miller 15 years ago e5ccd961 b914c4ea

+5 -5

1 changed file

expand all

drivers

net

ehea

ehea_main.c

+5 -5

drivers/net/ehea/ehea_main.c

··· 2249 2249 memset(swqe, 0, SWQE_HEADER_SIZE); 2250 2250 atomic_dec(&pr->swqe_avail); 2251 2251 2252 + if (vlan_tx_tag_present(skb)) { 2253 + swqe->tx_control |= EHEA_SWQE_VLAN_INSERT; 2254 + swqe->vlan_tag = vlan_tx_tag_get(skb); 2255 + } 2256 + 2252 2257 if (skb->len <= SWQE3_MAX_IMM) { 2253 2258 u32 sig_iv = port->sig_comp_iv; 2254 2259 u32 swqe_num = pr->swqe_id_counter; ··· 2283 2278 swqe->tx_control |= EHEA_SWQE_SIGNALLED_COMPLETION; 2284 2279 } 2285 2280 pr->swqe_id_counter += 1; 2286 - 2287 - if (vlan_tx_tag_present(skb)) { 2288 - swqe->tx_control |= EHEA_SWQE_VLAN_INSERT; 2289 - swqe->vlan_tag = vlan_tx_tag_get(skb); 2290 - } 2291 2281 2292 2282 if (netif_msg_tx_queued(port)) { 2293 2283 ehea_info("post swqe on QP %d", pr->qp->init_attr.qp_nr);