[3.5.y.z extended stable] Patch "firewire: net: fix use after free" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Thu Mar 13 11:00:29 UTC 2014 

This is a note to let you know that I have just added a patch titled

    firewire: net: fix use after free

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From 3f456344983dfe105c10bdbd3faba850b0cd53e1 Mon Sep 17 00:00:00 2001
From: Stefan Richter <stefanr at s5r6.in-berlin.de>
Date: Tue, 18 Feb 2014 22:25:15 +0100
Subject: firewire: net: fix use after free

commit 8987583366ae9e03c306c2b7d73bdb952df1d08d upstream.

Commit 8408dc1c14c1 "firewire: net: use dev_printk API" introduced a
use-after-free in a failure path.  fwnet_transmit_packet_failed(ptask)
may free ptask, then the dev_err() call dereferenced it.  The fix is
straightforward; simply reorder the two calls.

Reported-by: Dan Carpenter <dan.carpenter at oracle.com>
Signed-off-by: Stefan Richter <stefanr at s5r6.in-berlin.de>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 drivers/firewire/net.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c
index 638e1f7..7cff7f7 100644
--- a/drivers/firewire/net.c
+++ b/drivers/firewire/net.c
@@ -1014,8 +1014,6 @@ static void fwnet_write_complete(struct fw_card *card, int rcode,
 	if (rcode == RCODE_COMPLETE) {
 		fwnet_transmit_packet_done(ptask);
 	} else {
-		fwnet_transmit_packet_failed(ptask);
-
 		if (printk_timed_ratelimit(&j,  1000) || rcode != last_rcode) {
 			dev_err(&ptask->dev->netdev->dev,
 				"fwnet_write_complete failed: %x (skipped %d)\n",
@@ -1023,8 +1021,10 @@ static void fwnet_write_complete(struct fw_card *card, int rcode,

 			errors_skipped = 0;
 			last_rcode = rcode;
-		} else
+		} else {
 			errors_skipped++;
+		}
+		fwnet_transmit_packet_failed(ptask);
 	}
 }

--
1.9.0

More information about the kernel-team mailing list