From: Herbert Xu <herbert.xu@redhat.com>
Subject: [RHEL5.1 PATCH] [XEN] netfront: Avoid deref'ing skb after it is potentially freed.
Date: Mon, 13 Aug 2007 22:13:12 +0800
Bugzilla: 251905
Message-Id: <20070813141312.GA644@gondor.apana.org.au>
Changelog: [XEN] netfront: Avoid deref'ing skb after it is potentially freed.
Hi:
RHEL5.1 BZ 251905
This upstream patch fixes a potential use-after-free which
may corrupt the interface stats counter.
net front: Avoid deref'ing skb after it is potentially freed.
Signed-off-by: Keir Fraser <keir@xensource.com>
diff -r 840b9df48b6a drivers/xen/netfront/netfront.c
--- a/drivers/xen/netfront/netfront.c Tue Aug 07 09:37:41 2007 +0100
+++ b/drivers/xen/netfront/netfront.c Mon Aug 13 22:05:25 2007 +0800
@@ -1013,15 +1013,16 @@ static int network_start_xmit(struct sk_
if (notify)
notify_remote_via_irq(np->irq);
+ np->stats.tx_bytes += skb->len;
+ np->stats.tx_packets++;
+
+ /* Note: It is not safe to access skb after network_tx_buf_gc()! */
network_tx_buf_gc(dev);
if (!netfront_tx_slot_available(np))
netif_stop_queue(dev);
spin_unlock_irq(&np->tx_lock);
-
- np->stats.tx_bytes += skb->len;
- np->stats.tx_packets++;
return 0;
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
89877e42827f16fa5f86b1df0c2860b1
>
files
>
2722
