From 13839ef377124956dac8a58887abfd7d8d9414ca Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C3=A9r=C3=B4me=20Pouiller?= Date: Fri, 15 May 2020 10:33:16 +0200 Subject: [PATCH] staging: wfx: fix potential use-after-free MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit wfx_tx_policy_put() use data from the skb. However, the call to skb_pull() has just discarded them (even if the memory is in fact not really discarded). Signed-off-by: Jérôme Pouiller Link: https://lore.kernel.org/r/20200515083325.378539-11-Jerome.Pouiller@silabs.com Signed-off-by: Greg Kroah-Hartman --- drivers/staging/wfx/data_tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/wfx/data_tx.c b/drivers/staging/wfx/data_tx.c index 314cc27..d01e679 100644 --- a/drivers/staging/wfx/data_tx.c +++ b/drivers/staging/wfx/data_tx.c @@ -494,8 +494,8 @@ static void wfx_skb_dtor(struct wfx_vif *wvif, struct sk_buff *skb) req->data_flags.fc_offset; WARN_ON(!wvif); - skb_pull(skb, offset); wfx_tx_policy_put(wvif, req->tx_flags.retry_policy_index); + skb_pull(skb, offset); ieee80211_tx_status_irqsafe(wvif->wdev->hw, skb); } -- 2.7.4