Patch "net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 12 May 2021 08:33:38 -0400

This is a note to let you know that I've just added the patch titled

    net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-emac-emac-mac-fix-a-use-after-free-in-emac_mac_t.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit f6e43a0014a204249734f25cc0cc5dd45826cc09
Author: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
Date:   Mon Apr 26 09:06:25 2021 -0700

    net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
    
    [ Upstream commit 6d72e7c767acbbdd44ebc7d89c6690b405b32b57 ]
    
    In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..).
    If some error happens in emac_tx_fill_tpd(), the skb will be freed via
    dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd().
    But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len).
    
    As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len,
    thus my patch assigns skb->len to 'len' before the possible free and
    use 'len' instead of skb->len later.
    
    Fixes: b9b17debc69d2 ("net: emac: emac gigabit ethernet controller driver")
    Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/qualcomm/emac/emac-mac.c b/drivers/net/ethernet/qualcomm/emac/emac-mac.c
index 117188e3c7de..87b8c032195d 100644
--- a/drivers/net/ethernet/qualcomm/emac/emac-mac.c
+++ b/drivers/net/ethernet/qualcomm/emac/emac-mac.c
@@ -1437,6 +1437,7 @@ netdev_tx_t emac_mac_tx_buf_send(struct emac_adapter *adpt,
 {
 	struct emac_tpd tpd;
 	u32 prod_idx;
+	int len;
 
 	memset(&tpd, 0, sizeof(tpd));
 
@@ -1456,9 +1457,10 @@ netdev_tx_t emac_mac_tx_buf_send(struct emac_adapter *adpt,
 	if (skb_network_offset(skb) != ETH_HLEN)
 		TPD_TYP_SET(&tpd, 1);
 
+	len = skb->len;
 	emac_tx_fill_tpd(adpt, tx_q, skb, &tpd);
 
-	netdev_sent_queue(adpt->netdev, skb->len);
+	netdev_sent_queue(adpt->netdev, len);
 
 	/* Make sure the are enough free descriptors to hold one
 	 * maximum-sized SKB.  We need one desc for each fragment,






