Commit b6553c71 authored by Dan Carpenter's avatar Dan Carpenter Committed by Jakub Kicinski
Browse files

net: dm9051: Fix use after free in dm9051_loop_tx() 



This code dereferences "skb" after calling dev_kfree_skb().

Fixes: 2dc95a4d ("net: Add dm9051 driver")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220221105440.GA10045@kili


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent a0b92e05

drivers/net/ethernet/davicom/dm9051.c

+3 −1
Original line number Diff line number Diff line
@@ -845,17 +845,19 @@ static int dm9051_loop_tx(struct board_info *db) 


	while (!skb_queue_empty(&db->txq)) {

		struct sk_buff *skb;

		unsigned int len;



		skb = skb_dequeue(&db->txq);

		if (skb) {

			ntx++;

			ret = dm9051_single_tx(db, skb->data, skb->len);

			len = skb->len;

			dev_kfree_skb(skb);

			if (ret < 0) {

				db->bc.tx_err_counter++;

				return 0;

			}

			ndev->stats.tx_bytes += skb->len;

			ndev->stats.tx_bytes += len;

			ndev->stats.tx_packets++;

		}