Radu Rendec 9a0c28efee net: rswitch: Avoid use-after-free in rswitch_poll() ... The use-after-free is actually in rswitch_tx_free(), which is inlined in rswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the same pointer, the skb is first freed using dev_kfree_skb_any(), then the value in skb->len is used to update the interface statistics. Let's move around the instructions to use skb->len before the skb is freed. This bug is trivial to reproduce using KFENCE. It will trigger a splat every few packets. A simple ARP request or ICMP echo request is enough. Fixes: 271e015b91 ("net: rswitch: Add unmap_addrs instead of dma address in each desc") Signed-off-by: Radu Rendec <rrendec@redhat.com> Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se> Link: https://patch.msgid.link/20240702210838.2703228-1-rrendec@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>		2024-07-03 19:15:22 -07:00
..
Kconfig	net: ravb: Make reset controller support mandatory	2024-02-06 11:14:56 +01:00
Makefile	net: ethernet: renesas: rcar_gen4_ptp: Break out to module	2023-11-23 12:02:49 +01:00
ravb.h	ravb: Unify Rx ring maintenance code paths	2024-03-06 11:23:21 +00:00
ravb_main.c	net: annotate writes on dev->mtu from ndo_change_mtu()	2024-05-07 16:19:14 -07:00
ravb_ptp.c	ptp: ravb: convert to .adjfine and adjust_by_scaled_ppm	2022-10-31 11:14:16 +00:00
rcar_gen4_ptp.c	net: ethernet: renesas: rcar_gen4_ptp: Break out to module	2023-11-23 12:02:49 +01:00
rcar_gen4_ptp.h	net: ethernet: renesas: rcar_gen4_ptp: Get clock increment from clock rate	2023-11-23 12:02:49 +01:00
rswitch.c	net: rswitch: Avoid use-after-free in rswitch_poll()	2024-07-03 19:15:22 -07:00
rswitch.h	net: rswitch: Allow jumbo frames	2023-12-10 19:31:42 +00:00
sh_eth.c	net: annotate writes on dev->mtu from ndo_change_mtu()	2024-05-07 16:19:14 -07:00
sh_eth.h	Revert "sh_eth: remove open coded netif_running()"	2023-03-28 19:23:32 -07:00