This is a note to let you know that I've just added the patch titled
firewire: net: fix use after free in fwnet_finish_incoming_packet()
to the 6.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
firewire-net-fix-use-after-free-in-fwnet_finish_inco.patch
and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 77bdf3797f242a5e124ec46b3e9cefaf72a2576e
Author: Zhang Shurong <zhang_shurong@xxxxxxxxxxx>
Date: Fri Jun 23 13:39:35 2023 +0800
firewire: net: fix use after free in fwnet_finish_incoming_packet()
[ Upstream commit 3ff256751a2853e1ffaa36958ff933ccc98c6cb5 ]
The netif_rx() function frees the skb so we can't dereference it to
save the skb->len.
Signed-off-by: Zhang Shurong <zhang_shurong@xxxxxxxxxxx>
Link: https://lore.kernel.org/r/tencent_3B3D24B66ED66A6BB73CC0E63C6A14E45109@xxxxxx
Signed-off-by: Takashi Sakamoto <o-takashi@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c
index af22be84034bb..a53eacebca339 100644
--- a/drivers/firewire/net.c
+++ b/drivers/firewire/net.c
@@ -479,7 +479,7 @@ static int fwnet_finish_incoming_packet(struct net_device *net,
struct sk_buff *skb, u16 source_node_id,
bool is_broadcast, u16 ether_type)
{
- int status;
+ int status, len;
switch (ether_type) {
case ETH_P_ARP:
@@ -533,13 +533,15 @@ static int fwnet_finish_incoming_packet(struct net_device *net,
}
skb->protocol = protocol;
}
+
+ len = skb->len;
status = netif_rx(skb);
if (status == NET_RX_DROP) {
net->stats.rx_errors++;
net->stats.rx_dropped++;
} else {
net->stats.rx_packets++;
- net->stats.rx_bytes += skb->len;
+ net->stats.rx_bytes += len;
}
return 0;
