net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx()
authorYunsheng Lin <linyunsheng@huawei.com>
Thu, 5 Dec 2019 02:12:28 +0000 (10:12 +0800)
committerDavid S. Miller <davem@davemloft.net>
Thu, 5 Dec 2019 22:42:43 +0000 (14:42 -0800)
commitd1a37dedcfcf2c01daff5281c3c378876a04e2f4
tree6feb0871314133d0fd9ba248e323775d69750b2f
parent2a597eff2437d21841a1e87ffa536ab69dbffdcf
net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx()

Currently, hns3_nic_maybe_stop_tx() uses skb_copy() to linearize a
SKB if the BD num required by the SKB does not meet the hardware
limitation, and it linearizes the SKB by allocating a new linearized SKB
and freeing the old SKB, if hns3_nic_maybe_stop_tx() returns -EBUSY
because there are no enough space in the ring to send the linearized
skb to hardware, the sch_direct_xmit() still hold reference to old SKB
and try to retransmit the old SKB when dev_hard_start_xmit() return
TX_BUSY, which may cause use after freed problem.

This patch fixes it by using __skb_linearize() to linearize the
SKB in hns3_nic_maybe_stop_tx().

Fixes: 51e8439f3496 ("net: hns3: add 8 BD limit for tx flow")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/hisilicon/hns3/hns3_enet.c