From: Eric Dumazet Date: Thu, 19 Dec 2013 18:53:02 +0000 (-0800) Subject: net: fec: fix potential use after free X-Git-Tag: firefly_0821_release~3679^2~3097 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=cf3daa7cbcf9ac14a7549239d7ff3464138a79c8;p=firefly-linux-kernel-4.4.55.git net: fec: fix potential use after free [ Upstream commit 7a2a84518cfb263d2c4171b3d63671f88316adb2 ] skb_tx_timestamp(skb) should be called _before_ TX completion has a chance to trigger, otherwise it is too late and we access freed memory. Signed-off-by: Eric Dumazet Fixes: de5fb0a05348 ("net: fec: put tx to napi poll function to fix dead lock") Cc: Frank Li Cc: Richard Cochran Acked-by: Richard Cochran Acked-by: Frank Li Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c index d48099f03b7f..fbd0d7df67d8 100644 --- a/drivers/net/ethernet/freescale/fec_main.c +++ b/drivers/net/ethernet/freescale/fec_main.c @@ -371,6 +371,8 @@ fec_enet_start_xmit(struct sk_buff *skb, struct net_device *ndev) else bdp = fec_enet_get_nextdesc(bdp, fep->bufdesc_ex); + skb_tx_timestamp(skb); + fep->cur_tx = bdp; if (fep->cur_tx == fep->dirty_tx) @@ -379,8 +381,6 @@ fec_enet_start_xmit(struct sk_buff *skb, struct net_device *ndev) /* Trigger transmission start */ writel(0, fep->hwp + FEC_X_DES_ACTIVE); - skb_tx_timestamp(skb); - return NETDEV_TX_OK; }