net: dm9051: Fix use after free in dm9051_loop_tx()

This code dereferences "skb" after calling dev_kfree_skb().

Fixes: 2dc95a4d30ed ("net: Add dm9051 driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220221105440.GA10045@kili
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/ethernet/davicom/dm9051.c b/drivers/net/ethernet/davicom/dm9051.c
index 6a2bcfb..b4b5c9c 100644 (file)
--- a/drivers/net/ethernet/davicom/dm9051.c
+++ b/drivers/net/ethernet/davicom/dm9051.c
@@ -845,17 +845,19 @@ static int dm9051_loop_tx(struct board_info *db)
 
        while (!skb_queue_empty(&db->txq)) {
                struct sk_buff *skb;
+               unsigned int len;
 
                skb = skb_dequeue(&db->txq);
                if (skb) {
                        ntx++;
                        ret = dm9051_single_tx(db, skb->data, skb->len);
+                       len = skb->len;
                        dev_kfree_skb(skb);
                        if (ret < 0) {
                                db->bc.tx_err_counter++;
                                return 0;
                        }
-                       ndev->stats.tx_bytes += skb->len;
+                       ndev->stats.tx_bytes += len;
                        ndev->stats.tx_packets++;
                }