ethernet:enic: Fix a use after free bug in enic_hard_start_xmit
stable inclusion from stable-v4.19.191 commit 25a87b1f566b5eb2af2857a928f0e2310d900976 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I94JCD CVE: CVE-2021-46998 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=25a87b1f566b5eb2af2857a928f0e2310d900976 --------------------------- [ Upstream commit 643001b4 ] In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside enic_queue_wq_skb, if some error happens, the skb will be freed by dev_kfree_skb(skb). But the freed skb is still used in skb_tx_timestamp(skb). My patch makes enic_queue_wq_skb() return error and goto spin_unlock() incase of error. The solution is provided by Govind. See https://lkml.org/lkml/2021/4/30/961 . Fixes: fb7516d4 ("enic: add sw timestamp support") Signed-off-by:Lv Yunlong <lyl2019@mail.ustc.edu.cn> Acked-by:
Loading
Please sign in to comment