summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael S. Tsirkin <mst@redhat.com>2018-01-26 00:36:31 +0100
committerDavid S. Miller <davem@davemloft.net>2018-01-29 18:02:53 +0100
commit88fae87327a2261cf8db078f6ce4e5a3e55b30b1 (patch)
tree06987686791f41db7e129f796f88839bda3bbeff
parentptr_ring: READ/WRITE_ONCE for __ptr_ring_empty (diff)
downloadlinux-88fae87327a2261cf8db078f6ce4e5a3e55b30b1.tar.xz
linux-88fae87327a2261cf8db078f6ce4e5a3e55b30b1.zip
tap: fix use-after-free
Lockless access to __ptr_ring_full is only legal if ring is never resized, otherwise it might cause use-after free errors. Simply drop the lockless test, we'll drop the packet a bit later when produce fails. Fixes: 362899b8 ("macvtap: switch to use skb array") Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/tap.c3
1 files changed, 0 insertions, 3 deletions
diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index 7c38659b2a76..77872699c45d 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -330,9 +330,6 @@ rx_handler_result_t tap_handle_frame(struct sk_buff **pskb)
if (!q)
return RX_HANDLER_PASS;
- if (__ptr_ring_full(&q->ring))
- goto drop;
-
skb_push(skb, ETH_HLEN);
/* Apply the forward feature mask so that we perform segmentation