[openwrt/openwrt] lantiq: xrx200: fix use after free bug

Tue Mar 8 09:35:29 PST 2022

ynezz pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/c46621b3f3fff89cce4dd5e24bd52a4337e44378

commit c46621b3f3fff89cce4dd5e24bd52a4337e44378
Author: Aleksander Jan Bajkowski <olek2 at wp.pl>
AuthorDate: Sat Mar 5 12:54:48 2022 +0100

    lantiq: xrx200: fix use after free bug
    
    The skb->len field is read after the packet is sent to the network
    stack. In the meantime, skb can be freed. This patch fixes this bug.
    
    Signed-off-by: Aleksander Jan Bajkowski <olek2 at wp.pl>
---
 ...MIPS-lantiq-dma-increase-descritor-count.patch} |  0
 ...-lantiq_xrx200-increase-napi-poll-weigth.patch} |  0
 ...7-net-lantiq_xrx200-convert-to-build_skb.patch} |  0
 ...-net-lantiq_xrx200-fix-use-after-free-bug.patch | 30 ++++++++++++++++++++++
 4 files changed, 30 insertions(+)

diff --git a/target/linux/lantiq/patches-5.10/0713-MIPS-lantiq-dma-increase-descritor-count.patch b/target/linux/lantiq/patches-5.10/0713-v5.17-MIPS-lantiq-dma-increase-descritor-count.patch
similarity index 100%
rename from target/linux/lantiq/patches-5.10/0713-MIPS-lantiq-dma-increase-descritor-count.patch
rename to target/linux/lantiq/patches-5.10/0713-v5.17-MIPS-lantiq-dma-increase-descritor-count.patch
diff --git a/target/linux/lantiq/patches-5.10/0714-net-lantiq_xrx200-increase-napi-poll-weigth.patch b/target/linux/lantiq/patches-5.10/0714-v5.17-net-lantiq_xrx200-increase-napi-poll-weigth.patch
similarity index 100%
rename from target/linux/lantiq/patches-5.10/0714-net-lantiq_xrx200-increase-napi-poll-weigth.patch
rename to target/linux/lantiq/patches-5.10/0714-v5.17-net-lantiq_xrx200-increase-napi-poll-weigth.patch
diff --git a/target/linux/lantiq/patches-5.10/0715-net-lantiq_xrx200-convert-to-build_skb.patch b/target/linux/lantiq/patches-5.10/0715-v5.17-net-lantiq_xrx200-convert-to-build_skb.patch
similarity index 100%
rename from target/linux/lantiq/patches-5.10/0715-net-lantiq_xrx200-convert-to-build_skb.patch
rename to target/linux/lantiq/patches-5.10/0715-v5.17-net-lantiq_xrx200-convert-to-build_skb.patch
diff --git a/target/linux/lantiq/patches-5.10/0716-v5.17-net-lantiq_xrx200-fix-use-after-free-bug.patch b/target/linux/lantiq/patches-5.10/0716-v5.17-net-lantiq_xrx200-fix-use-after-free-bug.patch
new file mode 100644
index 0000000000..090b7e3111
--- /dev/null
+++ b/target/linux/lantiq/patches-5.10/0716-v5.17-net-lantiq_xrx200-fix-use-after-free-bug.patch
@@ -0,0 +1,30 @@
+From dd830aed23c6e07cd8e2a163742bf3d63c9add08 Mon Sep 17 00:00:00 2001
+From: Aleksander Jan Bajkowski <olek2 at wp.pl>
+Date: Sat, 5 Mar 2022 12:20:39 +0100
+Subject: net: lantiq_xrx200: fix use after free bug
+
+The skb->len field is read after the packet is sent to the network
+stack. In the meantime, skb can be freed. This patch fixes this bug.
+
+Fixes: c3e6b2c35b34 ("net: lantiq_xrx200: add ingress SG DMA support")
+Reported-by: Eric Dumazet <eric.dumazet at gmail.com>
+Signed-off-by: Aleksander Jan Bajkowski <olek2 at wp.pl>
+Acked-by: Hauke Mehrtens <hauke at hauke-m.de>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ drivers/net/ethernet/lantiq_xrx200.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/lantiq_xrx200.c
++++ b/drivers/net/ethernet/lantiq_xrx200.c
+@@ -260,9 +260,9 @@ static int xrx200_hw_receive(struct xrx2
+ 
+ 	if (ctl & LTQ_DMA_EOP) {
+ 		ch->skb_head->protocol = eth_type_trans(ch->skb_head, net_dev);
+-		netif_receive_skb(ch->skb_head);
+ 		net_dev->stats.rx_packets++;
+ 		net_dev->stats.rx_bytes += ch->skb_head->len;
++		netif_receive_skb(ch->skb_head);
+ 		ch->skb_head = NULL;
+ 		ch->skb_tail = NULL;
+ 		ret = XRX200_DMA_PACKET_COMPLETE;


