Patch "HSI: ssi_protocol: double free in ssip_pn_xmit()" has been added to the 4.9-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    HSI: ssi_protocol: double free in ssip_pn_xmit()

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From foo@baz Thu Mar 22 14:40:23 CET 2018
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Fri, 21 Apr 2017 13:39:09 +0300
Subject: HSI: ssi_protocol: double free in ssip_pn_xmit()

From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>


[ Upstream commit 3026050179a3a9a6f5c892c414b5e36ecf092081 ]

If skb_pad() fails then it frees skb and we don't need to free it again
at the end of the function.

Fixes: dc7bf5d7 ("HSI: Introduce driver for SSI Protocol")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Sebastian Reichel <sre@xxxxxxxxxx>
Signed-off-by: Sasha Levin <alexander.levin@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/hsi/clients/ssi_protocol.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/hsi/clients/ssi_protocol.c
+++ b/drivers/hsi/clients/ssi_protocol.c
@@ -989,7 +989,7 @@ static int ssip_pn_xmit(struct sk_buff *
 		goto drop;
 	/* Pad to 32-bits - FIXME: Revisit*/
 	if ((skb->len & 3) && skb_pad(skb, 4 - (skb->len & 3)))
-		goto drop;
+		goto inc_dropped;
 
 	/*
 	 * Modem sends Phonet messages over SSI with its own endianess...
@@ -1041,8 +1041,9 @@ static int ssip_pn_xmit(struct sk_buff *
 drop2:
 	hsi_free_msg(msg);
 drop:
-	dev->stats.tx_dropped++;
 	dev_kfree_skb(skb);
+inc_dropped:
+	dev->stats.tx_dropped++;
 
 	return 0;
 }


Patches currently in stable-queue which might be from dan.carpenter@xxxxxxxxxx are

queue-4.9/netfilter-x_tables-unlock-on-error-in-xt_find_table_lock.patch
queue-4.9/asoc-intel-skylake-uninitialized-variable-in-probe_codec.patch
queue-4.9/mmc-host-omap_hsmmc-checking-for-null-instead-of-is_err.patch
queue-4.9/qed-unlock-on-error-in-qed_vf_pf_acquire.patch
queue-4.9/hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch
queue-4.9/cifs-small-underflow-in-cnvrtdosunixtm.patch
queue-4.9/ib-rdmavt-restore-irqs-on-error-path-in-rvt_create_ah.patch
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]