From df98714e432abf5cbdac3e4c1a13f94c65ddb8d3 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Wed, 18 May 2022 20:37:15 +0300 Subject: [PATCH] net: ethernet: SP7021: fix a use after free of skb->len The netif_receive_skb() function frees "skb" so store skb->len before it is freed. Fixes: fd3040b9394c ("net: ethernet: Add driver for Sunplus SP7021") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YoUuy4iTjFAcSn03@kili Signed-off-by: Jakub Kicinski --- drivers/net/ethernet/sunplus/spl2sw_int.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/sunplus/spl2sw_int.c b/drivers/net/ethernet/sunplus/spl2sw_int.c index 69b1e2e..a37c9a4 100644 --- a/drivers/net/ethernet/sunplus/spl2sw_int.c +++ b/drivers/net/ethernet/sunplus/spl2sw_int.c @@ -29,6 +29,7 @@ int spl2sw_rx_poll(struct napi_struct *napi, int budget) u32 mask; int port; u32 cmd; + u32 len; /* Process high-priority queue and then low-priority queue. */ for (queue = 0; queue < RX_DESC_QUEUE_NUM; queue++) { @@ -63,10 +64,11 @@ int spl2sw_rx_poll(struct napi_struct *napi, int budget) skb_put(skb, pkg_len - 4); /* Minus FCS */ skb->ip_summed = CHECKSUM_NONE; skb->protocol = eth_type_trans(skb, comm->ndev[port]); + len = skb->len; netif_receive_skb(skb); stats->rx_packets++; - stats->rx_bytes += skb->len; + stats->rx_bytes += len; /* Allocate a new skb for receiving. */ new_skb = netdev_alloc_skb(NULL, comm->rx_desc_buff_size); -- 2.7.4