bnxt: prevent skb UAF after handing over to PTP worker

[linux-stable] / drivers / net / ethernet / broadcom / bnxt / bnxt.c

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 964354536f9ce27c176dd44957dccd7c61397abf..111a952f880ee63d63fa341c4a625d8079421d49 100644 (file)
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -662,7 +662,6 @@ static void bnxt_tx_int(struct bnxt *bp, struct bnxt_napi *bnapi, int nr_pkts)
 
        for (i = 0; i < nr_pkts; i++) {
                struct bnxt_sw_tx_bd *tx_buf;
-               bool compl_deferred = false;
                struct sk_buff *skb;
                int j, last;
 
@@ -671,6 +670,8 @@ static void bnxt_tx_int(struct bnxt *bp, struct bnxt_napi *bnapi, int nr_pkts)
                skb = tx_buf->skb;
                tx_buf->skb = NULL;
 
+               tx_bytes += skb->len;
+
                if (tx_buf->is_push) {
                        tx_buf->is_push = 0;
                        goto next_tx_int;
@@ -691,8 +692,9 @@ static void bnxt_tx_int(struct bnxt *bp, struct bnxt_napi *bnapi, int nr_pkts)
                }
                if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) {
                        if (bp->flags & BNXT_FLAG_CHIP_P5) {
+                               /* PTP worker takes ownership of the skb */
                                if (!bnxt_get_tx_ts_p5(bp, skb))
-                                       compl_deferred = true;
+                                       skb = NULL;
                                else
                                        atomic_inc(&bp->ptp_cfg->tx_avail);
                        }
@@ -701,9 +703,7 @@ static void bnxt_tx_int(struct bnxt *bp, struct bnxt_napi *bnapi, int nr_pkts)
 next_tx_int:
                cons = NEXT_TX(cons);
 
-               tx_bytes += skb->len;
-               if (!compl_deferred)
-                       dev_kfree_skb_any(skb);
+               dev_kfree_skb_any(skb);
        }
 
        netdev_tx_completed_queue(txq, nr_pkts, tx_bytes);