The buffer skb is freed via dev_kfree_skb in a loop. skb may be used
again in the next iteration, resulting in a use-after-free bug. To fix
this, the patch set skb to NULL after dev_kfree_skb(skb).
Signed-off-by: Pan Bian <bianpan2...@163.com>
---
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
index 0cc911f..ac6b82d 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -2754,6 +2754,7 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int
budget)
netif_err(pdata, rx_err, netdev,
"error in received packet\n");
dev_kfree_skb(skb);
+ skb = NULL;
goto next_packet;
}
@@ -2806,6 +2807,7 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int
budget)
netif_err(pdata, rx_err, netdev,
"packet length exceeds configured MTU\n");
dev_kfree_skb(skb);
+ skb = NULL;
goto next_packet;
}
--
2.7.4
