From: Michael S. Tsirkin Date: Thu, 25 Jan 2018 23:36:31 +0000 (+0200) Subject: tap: fix use-after-free X-Git-Tag: v4.16-rc1~123^2~26^2~8 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=88fae87327a2261cf8db078f6ce4e5a3e55b30b1;p=users%2Fwilly%2Fxarray.git tap: fix use-after-free Lockless access to __ptr_ring_full is only legal if ring is never resized, otherwise it might cause use-after free errors. Simply drop the lockless test, we'll drop the packet a bit later when produce fails. Fixes: 362899b8 ("macvtap: switch to use skb array") Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller --- diff --git a/drivers/net/tap.c b/drivers/net/tap.c index 7c38659b2a76..77872699c45d 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -330,9 +330,6 @@ rx_handler_result_t tap_handle_frame(struct sk_buff **pskb) if (!q) return RX_HANDLER_PASS; - if (__ptr_ring_full(&q->ring)) - goto drop; - skb_push(skb, ETH_HLEN); /* Apply the forward feature mask so that we perform segmentation