diff mbox series

[v2,net-next] net: dm9051: Fix use after free in dm9051_loop_tx()

Message ID 20220221105440.GA10045@kili (mailing list archive)
State Accepted
Commit b6553c71813f57b1bfa775af120169c549f7f090
Delegated to: Netdev Maintainers
Headers show
Series [v2,net-next] net: dm9051: Fix use after free in dm9051_loop_tx() | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers warning 2 maintainers not CCed: colin.king@intel.com yang.lee@linux.alibaba.com
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 20 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Dan Carpenter Feb. 21, 2022, 10:54 a.m. UTC 
This code dereferences "skb" after calling dev_kfree_skb().

Fixes: 2dc95a4d30ed ("net: Add dm9051 driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: Only record successful transfers

 drivers/net/ethernet/davicom/dm9051.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

patchwork-bot+netdevbpf@kernel.org Feb. 22, 2022, 5 a.m. UTC | #1 
Hello:

This patch was applied to netdev/net-next.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Mon, 21 Feb 2022 13:54:40 +0300 you wrote:
> This code dereferences "skb" after calling dev_kfree_skb().
> 
> Fixes: 2dc95a4d30ed ("net: Add dm9051 driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: Only record successful transfers
> 
> [...]

Here is the summary with links:
  - [v2,net-next] net: dm9051: Fix use after free in dm9051_loop_tx()
    https://git.kernel.org/netdev/net-next/c/b6553c71813f

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/net/ethernet/davicom/dm9051.c b/drivers/net/ethernet/davicom/dm9051.c
index a63d17e669a0..20cdca06d267 100644
--- a/drivers/net/ethernet/davicom/dm9051.c
+++ b/drivers/net/ethernet/davicom/dm9051.c
@@ -845,17 +845,19 @@  static int dm9051_loop_tx(struct board_info *db)
 
 	while (!skb_queue_empty(&db->txq)) {
 		struct sk_buff *skb;
+		unsigned int len;
 
 		skb = skb_dequeue(&db->txq);
 		if (skb) {
 			ntx++;
 			ret = dm9051_single_tx(db, skb->data, skb->len);
+			len = skb->len;
 			dev_kfree_skb(skb);
 			if (ret < 0) {
 				db->bc.tx_err_counter++;
 				return 0;
 			}
-			ndev->stats.tx_bytes += skb->len;
+			ndev->stats.tx_bytes += len;
 			ndev->stats.tx_packets++;
 		}