[PATCH] SMC911X: Fix using of dereferenced skb after netif

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] SMC911X: Fix using of dereferenced skb after netif_rx
@ 2007-12-03  7:59 Wang Chen
  2007-12-03 10:11 ` Herbert Xu
  0 siblings, 1 reply; 7+ messages in thread
From: Wang Chen @ 2007-12-03  7:59 UTC (permalink / raw)
  To: Dustin McIntire, Herbert Xu; +Cc: davem, netdev

After netif_rx(), skb will be freed. So get the
skb->len before netif_rx().

Signed-off-by: Wang Chen <wangchen@cn.fujitsu.com>
---
 smc911x.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

--- linux-2.6.24.rc3.org/drivers/net/smc911x.c	2007-11-19 12:38:05.000000000 +0800
+++ linux-2.6.24.rc3/drivers/net/smc911x.c	2007-11-30 15:00:53.000000000 +0800
@@ -1287,7 +1287,7 @@ smc911x_rx_dma_irq(int dma, void *data)
 	struct smc911x_local *lp = netdev_priv(dev);
 	struct sk_buff *skb = lp->current_rx_skb;
 	unsigned long flags;
-	unsigned int pkts;
+	unsigned int pkts, len;
 
 	DBG(SMC_DEBUG_FUNC, "%s: --> %s\n", dev->name, __FUNCTION__);
 	DBG(SMC_DEBUG_RX | SMC_DEBUG_DMA, "%s: RX DMA irq handler\n", dev->name);
@@ -1299,9 +1299,10 @@ smc911x_rx_dma_irq(int dma, void *data)
 	PRINT_PKT(skb->data, skb->len);
 	dev->last_rx = jiffies;
 	skb->protocol = eth_type_trans(skb, dev);
+	len = skb->len;
 	netif_rx(skb);
 	dev->stats.rx_packets++;
-	dev->stats.rx_bytes += skb->len;
+	dev->stats.rx_bytes += len;
 
 	spin_lock_irqsave(&lp->lock, flags);
 	pkts = (SMC_GET_RX_FIFO_INF() & RX_FIFO_INF_RXSUSED_) >> 16;


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] SMC911X: Fix using of dereferenced skb after netif_rx
  2007-12-03  7:59 [PATCH] SMC911X: Fix using of dereferenced skb after netif_rx Wang Chen
@ 2007-12-03 10:11 ` Herbert Xu
  2007-12-03 10:18   ` Wang Chen
  0 siblings, 1 reply; 7+ messages in thread
From: Herbert Xu @ 2007-12-03 10:11 UTC (permalink / raw)
  To: Wang Chen; +Cc: Dustin McIntire, davem, netdev, Jeff Garzik

On Mon, Dec 03, 2007 at 03:59:09PM +0800, Wang Chen wrote:
> After netif_rx(), skb will be freed. So get the
> skb->len before netif_rx().
> 
> Signed-off-by: Wang Chen <wangchen@cn.fujitsu.com>

Please send driver patches to Jeff Garzik <jgarzik@pobox.com>.

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] SMC911X: Fix using of dereferenced skb after netif_rx
  2007-12-03 10:11 ` Herbert Xu
@ 2007-12-03 10:18   ` Wang Chen
  2007-12-03 13:47     ` Peter Korsgaard
  0 siblings, 1 reply; 7+ messages in thread
From: Wang Chen @ 2007-12-03 10:18 UTC (permalink / raw)
  To: Jeff Garzik; +Cc: Herbert Xu, Dustin McIntire, davem, netdev

Herbert Xu said the following on 2007-12-3 18:11:
> Please send driver patches to Jeff Garzik <jgarzik@pobox.com>.
> 

Sorry. Resend the patch.

After netif_rx(), skb will be freed. So get the
skb->len before netif_rx().

Signed-off-by: Wang Chen <wangchen@cn.fujitsu.com>
---
 smc911x.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

--- linux-2.6.24.rc3.org/drivers/net/smc911x.c	2007-11-19 12:38:05.000000000 +0800
+++ linux-2.6.24.rc3/drivers/net/smc911x.c	2007-11-30 15:00:53.000000000 +0800
@@ -1287,7 +1287,7 @@ smc911x_rx_dma_irq(int dma, void *data)
 	struct smc911x_local *lp = netdev_priv(dev);
 	struct sk_buff *skb = lp->current_rx_skb;
 	unsigned long flags;
-	unsigned int pkts;
+	unsigned int pkts, len;
 
 	DBG(SMC_DEBUG_FUNC, "%s: --> %s\n", dev->name, __FUNCTION__);
 	DBG(SMC_DEBUG_RX | SMC_DEBUG_DMA, "%s: RX DMA irq handler\n", dev->name);
@@ -1299,9 +1299,10 @@ smc911x_rx_dma_irq(int dma, void *data)
 	PRINT_PKT(skb->data, skb->len);
 	dev->last_rx = jiffies;
 	skb->protocol = eth_type_trans(skb, dev);
+	len = skb->len;
 	netif_rx(skb);
 	dev->stats.rx_packets++;
-	dev->stats.rx_bytes += skb->len;
+	dev->stats.rx_bytes += len;
 
 	spin_lock_irqsave(&lp->lock, flags);
 	pkts = (SMC_GET_RX_FIFO_INF() & RX_FIFO_INF_RXSUSED_) >> 16;


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] SMC911X: Fix using of dereferenced skb after netif_rx
  2007-12-03 10:18   ` Wang Chen
@ 2007-12-03 13:47     ` Peter Korsgaard
  2007-12-04  2:01       ` Wang Chen
  0 siblings, 1 reply; 7+ messages in thread
From: Peter Korsgaard @ 2007-12-03 13:47 UTC (permalink / raw)
  To: Wang Chen; +Cc: Jeff Garzik, Herbert Xu, Dustin McIntire, davem, netdev

>>>>> "Wang" == Wang Chen <wangchen@cn.fujitsu.com> writes:

Hi,

 Wang> +	len = skb->len;
 Wang>  	netif_rx(skb);
 dev-> stats.rx_packets++;
 Wang> -	dev->stats.rx_bytes += skb->len;
 Wang> +	dev->stats.rx_bytes += len;

Why not simply update the stats before calling netif_rx as the return
value isn't checked anyway?

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] SMC911X: Fix using of dereferenced skb after netif_rx
  2007-12-03 13:47     ` Peter Korsgaard
@ 2007-12-04  2:01       ` Wang Chen
  2007-12-04  8:49         ` Peter Korsgaard
  2007-12-04 19:54         ` Jeff Garzik
  0 siblings, 2 replies; 7+ messages in thread
From: Wang Chen @ 2007-12-04  2:01 UTC (permalink / raw)
  To: Peter Korsgaard; +Cc: Jeff Garzik, Herbert Xu, Dustin McIntire, davem, netdev

Peter Korsgaard said the following on 2007-12-3 21:47:
>>>>>> "Wang" == Wang Chen <wangchen@cn.fujitsu.com> writes:
> 
> Hi,
> 
>  Wang> +	len = skb->len;
>  Wang>  	netif_rx(skb);
>  dev-> stats.rx_packets++;
>  Wang> -	dev->stats.rx_bytes += skb->len;
>  Wang> +	dev->stats.rx_bytes += len;
> 
> Why not simply update the stats before calling netif_rx as the return
> value isn't checked anyway?
> 

Even the return value of netif_rx isn't checked, dev->stats maybe
changed in netif_rx. But fortunately dev->stats isn't changed in
netif_rx.
So, I agree. 
Here is the new patch.

Signed-off-by: Wang Chen <wangchen@cn.fujitsu.com>
---
 smc911x.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.24.rc3.org/drivers/net/smc911x.c	2007-11-19 12:38:05.000000000 +0800
+++ linux-2.6.24.rc3/drivers/net/smc911x.c	2007-12-04 09:59:06.000000000 +0800
@@ -1299,9 +1299,9 @@ smc911x_rx_dma_irq(int dma, void *data)
 	PRINT_PKT(skb->data, skb->len);
 	dev->last_rx = jiffies;
 	skb->protocol = eth_type_trans(skb, dev);
-	netif_rx(skb);
 	dev->stats.rx_packets++;
 	dev->stats.rx_bytes += skb->len;
+	netif_rx(skb);
 
 	spin_lock_irqsave(&lp->lock, flags);
 	pkts = (SMC_GET_RX_FIFO_INF() & RX_FIFO_INF_RXSUSED_) >> 16;


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] SMC911X: Fix using of dereferenced skb after netif_rx
  2007-12-04  2:01       ` Wang Chen
@ 2007-12-04  8:49         ` Peter Korsgaard
  2007-12-04 19:54         ` Jeff Garzik
  1 sibling, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2007-12-04  8:49 UTC (permalink / raw)
  To: Wang Chen; +Cc: Jeff Garzik, Herbert Xu, Dustin McIntire, davem, netdev

>>>>> "Wang" == Wang Chen <wangchen@cn.fujitsu.com> writes:

Hi,

 >> Why not simply update the stats before calling netif_rx as the return
 >> value isn't checked anyway?

 Wang> Even the return value of netif_rx isn't checked, dev->stats maybe
 Wang> changed in netif_rx. But fortunately dev->stats isn't changed in
 Wang> netif_rx.
 Wang> So, I agree. 
 Wang> Here is the new patch.

Thanks.

 Wang> Signed-off-by: Wang Chen <wangchen@cn.fujitsu.com>

Acked-by: Peter Korsgaard <jacmet@sunsite.dk>

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] SMC911X: Fix using of dereferenced skb after netif_rx
  2007-12-04  2:01       ` Wang Chen
  2007-12-04  8:49         ` Peter Korsgaard
@ 2007-12-04 19:54         ` Jeff Garzik
  1 sibling, 0 replies; 7+ messages in thread
From: Jeff Garzik @ 2007-12-04 19:54 UTC (permalink / raw)
  To: Wang Chen; +Cc: Peter Korsgaard, Herbert Xu, Dustin McIntire, davem, netdev

Wang Chen wrote:
> Peter Korsgaard said the following on 2007-12-3 21:47:
>>>>>>> "Wang" == Wang Chen <wangchen@cn.fujitsu.com> writes:
>> Hi,
>>
>>  Wang> +	len = skb->len;
>>  Wang>  	netif_rx(skb);
>>  dev-> stats.rx_packets++;
>>  Wang> -	dev->stats.rx_bytes += skb->len;
>>  Wang> +	dev->stats.rx_bytes += len;
>>
>> Why not simply update the stats before calling netif_rx as the return
>> value isn't checked anyway?
>>
> 
> Even the return value of netif_rx isn't checked, dev->stats maybe
> changed in netif_rx. But fortunately dev->stats isn't changed in
> netif_rx.
> So, I agree. 
> Here is the new patch.
> 
> Signed-off-by: Wang Chen <wangchen@cn.fujitsu.com>
> ---
>  smc911x.c |    2 +-
>  1 files changed, 1 insertion(+), 1 deletion(-)
> 
> --- linux-2.6.24.rc3.org/drivers/net/smc911x.c	2007-11-19 12:38:05.000000000 +0800
> +++ linux-2.6.24.rc3/drivers/net/smc911x.c	2007-12-04 09:59:06.000000000 +0800
> @@ -1299,9 +1299,9 @@ smc911x_rx_dma_irq(int dma, void *data)
>  	PRINT_PKT(skb->data, skb->len);
>  	dev->last_rx = jiffies;
>  	skb->protocol = eth_type_trans(skb, dev);
> -	netif_rx(skb);
>  	dev->stats.rx_packets++;
>  	dev->stats.rx_bytes += skb->len;
> +	netif_rx(skb);
>  

applied #upstream-fixes



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2007-12-04 19:54 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-12-03  7:59 [PATCH] SMC911X: Fix using of dereferenced skb after netif_rx Wang Chen
2007-12-03 10:11 ` Herbert Xu
2007-12-03 10:18   ` Wang Chen
2007-12-03 13:47     ` Peter Korsgaard
2007-12-04  2:01       ` Wang Chen
2007-12-04  8:49         ` Peter Korsgaard
2007-12-04 19:54         ` Jeff Garzik

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).