release/5.2.30/staging-rtl8192e-fix-potential-use-after-free.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 587edb094bf2c6d420f085d3761778b65675d40d Mon Sep 17 00:00:00 2001
 From: Pan Bian <bianpan2016@163.com>
 Date: Tue, 5 Nov 2019 22:49:11 +0800
 Subject: [PATCH] staging: rtl8192e: fix potential use after free

 commit b7aa39a2ed0112d07fc277ebd24a08a7b2368ab9 upstream.

 The variable skb is released via kfree_skb() when the return value of
 _rtl92e_tx is not zero. However, after that, skb is accessed again to
 read its length, which may result in a use after free bug. This patch
 fixes the bug by moving the release operation to where skb is never
 used later.

 Signed-off-by: Pan Bian <bianpan2016@163.com>
 Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
 Cc: stable <stable@vger.kernel.org>
 Link: https://lore.kernel.org/r/1572965351-6745-1-git-send-email-bianpan2016@163.com
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
 index f932cb15e4e5..c702ee9691b1 100644
 --- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
 +++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
 @@ -1616,14 +1616,15 @@ static void _rtl92e_hard_data_xmit(struct sk_buff *skb, struct net_device *dev,
  	memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
  	skb_push(skb, priv->rtllib->tx_headroom);
  	ret = _rtl92e_tx(dev, skb);
 -	if (ret != 0)
 -		kfree_skb(skb);

  	if (queue_index != MGNT_QUEUE) {
  		priv->rtllib->stats.tx_bytes += (skb->len -
  						 priv->rtllib->tx_headroom);
  		priv->rtllib->stats.tx_packets++;
  	}
 +
 +	if (ret != 0)
 +		kfree_skb(skb);
  }

  static int _rtl92e_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
 --
 2.7.4
	From 587edb094bf2c6d420f085d3761778b65675d40d Mon Sep 17 00:00:00 2001
	From: Pan Bian <bianpan2016@163.com>
	Date: Tue, 5 Nov 2019 22:49:11 +0800
	Subject: [PATCH] staging: rtl8192e: fix potential use after free

	commit b7aa39a2ed0112d07fc277ebd24a08a7b2368ab9 upstream.

	The variable skb is released via kfree_skb() when the return value of
	_rtl92e_tx is not zero. However, after that, skb is accessed again to
	read its length, which may result in a use after free bug. This patch
	fixes the bug by moving the release operation to where skb is never
	used later.

	Signed-off-by: Pan Bian <bianpan2016@163.com>
	Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
	Cc: stable <stable@vger.kernel.org>
	Link: https://lore.kernel.org/r/1572965351-6745-1-git-send-email-bianpan2016@163.com
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
	index f932cb15e4e5..c702ee9691b1 100644
	--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
	+++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
	@@ -1616,14 +1616,15 @@ static void _rtl92e_hard_data_xmit(struct sk_buff skb, struct net_device dev,
	memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
	skb_push(skb, priv->rtllib->tx_headroom);
	ret = _rtl92e_tx(dev, skb);
	- if (ret != 0)
	- kfree_skb(skb);

	if (queue_index != MGNT_QUEUE) {
	priv->rtllib->stats.tx_bytes += (skb->len -
	priv->rtllib->tx_headroom);
	priv->rtllib->stats.tx_packets++;
	}
	+
	+ if (ret != 0)
	+ kfree_skb(skb);
	}

	static int _rtl92e_hard_start_xmit(struct sk_buff skb, struct net_device dev)
	--
	2.7.4