diff options
author | Michael S. Tsirkin <mst@redhat.com> | 2018-01-26 00:36:31 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2018-01-29 18:02:53 +0100 |
commit | 88fae87327a2261cf8db078f6ce4e5a3e55b30b1 (patch) | |
tree | 06987686791f41db7e129f796f88839bda3bbeff /drivers/net/tap.c | |
parent | ptr_ring: READ/WRITE_ONCE for __ptr_ring_empty (diff) | |
download | linux-88fae87327a2261cf8db078f6ce4e5a3e55b30b1.tar.xz linux-88fae87327a2261cf8db078f6ce4e5a3e55b30b1.zip |
tap: fix use-after-free
Lockless access to __ptr_ring_full is only legal if ring is
never resized, otherwise it might cause use-after free errors.
Simply drop the lockless test, we'll drop the packet
a bit later when produce fails.
Fixes: 362899b8 ("macvtap: switch to use skb array")
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to '')
-rw-r--r-- | drivers/net/tap.c | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/drivers/net/tap.c b/drivers/net/tap.c index 7c38659b2a76..77872699c45d 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -330,9 +330,6 @@ rx_handler_result_t tap_handle_frame(struct sk_buff **pskb) if (!q) return RX_HANDLER_PASS; - if (__ptr_ring_full(&q->ring)) - goto drop; - skb_push(skb, ETH_HLEN); /* Apply the forward feature mask so that we perform segmentation |