In drivers/net/arcnet/arcnet.c, the functions arcnet_reply_tasklet() and
arcnet_send_packet() may be concurrently executed.
arcnet_reply_tasklet()
line 430: dev_kfree_skb(lp->outgoing.skb);
arcnet_send_packet()
line 682: spin_lock_irqsave();
line 690: lp->outgoing.skb = skb;
line 691: proto->prepare_tx(..., skb->len, ...)
Thus, a possible concurrency use-after-free bugs may occur.
To fix this bug, the calls to spin_lock_irqsave() and
spin_unlock_irqrestore() are added in arcnet_reply_tasklet() to protect
dev_kfree_skb(lp->outgoing.skb).
Signed-off-by: Jia-Ju Bai <baijiaju1...@gmail.com>
---
drivers/net/arcnet/arcnet.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/arcnet/arcnet.c b/drivers/net/arcnet/arcnet.c
index 8459115d9d4e..c5e943d01d66 100644
--- a/drivers/net/arcnet/arcnet.c
+++ b/drivers/net/arcnet/arcnet.c
@@ -426,10 +426,14 @@ static void arcnet_reply_tasklet(unsigned long data)
serr->ee.ee_data = skb_shinfo(skb)->tskey;
serr->ee.ee_info = lp->reply_status;
+ spin_lock_irqsave(&lp->lock, flags);
+
/* finally erasing outgoing skb */
dev_kfree_skb(lp->outgoing.skb);
lp->outgoing.skb = NULL;
+ spin_unlock_irqrestore(&lp->lock, flags);
+
ackskb->dev = lp->dev;
ret = sock_queue_err_skb(sk, ackskb);
--
2.17.0
