From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, kernel test robot <lkp@intel.com>,
Dan Carpenter <dan.carpenter@oracle.com>
Subject: [PATCH 4.19 19/30] staging: gdm724x: fix use after free in gdm_lte_rx()
Date: Mon, 14 Mar 2022 12:34:37 +0100 [thread overview]
Message-ID: <20220314112732.330374679@linuxfoundation.org> (raw)
In-Reply-To: <20220314112731.785042288@linuxfoundation.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
commit fc7f750dc9d102c1ed7bbe4591f991e770c99033 upstream.
The netif_rx_ni() function frees the skb so we can't dereference it to
save the skb->len.
Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver")
Cc: stable <stable@vger.kernel.org>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220228074331.GA13685@kili
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/gdm724x/gdm_lte.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/staging/gdm724x/gdm_lte.c
+++ b/drivers/staging/gdm724x/gdm_lte.c
@@ -76,14 +76,15 @@ static void tx_complete(void *arg)
static int gdm_lte_rx(struct sk_buff *skb, struct nic *nic, int nic_type)
{
- int ret;
+ int ret, len;
+ len = skb->len + ETH_HLEN;
ret = netif_rx_ni(skb);
if (ret == NET_RX_DROP) {
nic->stats.rx_dropped++;
} else {
nic->stats.rx_packets++;
- nic->stats.rx_bytes += skb->len + ETH_HLEN;
+ nic->stats.rx_bytes += len;
}
return 0;
next prev parent reply other threads:[~2022-03-14 11:40 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-14 11:34 [PATCH 4.19 00/30] 4.19.235-rc1 review Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 01/30] net: qlogic: check the return value of dma_alloc_coherent() in qed_vf_hw_prepare() Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 02/30] qed: return status of qed_iov_get_link Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 03/30] ethernet: Fix error handling in xemaclite_of_probe Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 04/30] net: ethernet: ti: cpts: Handle error for clk_enable Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 05/30] net: ethernet: lpc_eth: " Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 06/30] ax25: Fix NULL pointer dereference in ax25_kill_by_device Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 07/30] net/mlx5: Fix size field in bufferx_reg struct Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 08/30] NFC: port100: fix use-after-free in port100_send_complete Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 09/30] gpio: ts4900: Do not set DAT and OE together Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 10/30] gianfar: ethtool: Fix refcount leak in gfar_get_ts_info Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 11/30] net: phy: DP83822: clear MISR2 register to disable interrupts Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 12/30] sctp: fix kernel-infoleak for SCTP sockets Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 13/30] net-sysfs: add check for netdevice being present to speed_show Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 14/30] Revert "xen-netback: remove hotplug-status once it has served its purpose" Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 15/30] Revert "xen-netback: Check for hotplug-status existence before watching" Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 16/30] tracing: Ensure trace buffer is at least 4096 bytes large Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 17/30] selftests/memfd: clean up mapping in mfd_fail_write Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 18/30] ARM: Spectre-BHB: provide empty stub for non-config Greg Kroah-Hartman
2022-03-14 11:34 ` Greg Kroah-Hartman [this message]
2022-03-14 11:34 ` [PATCH 4.19 20/30] net: macb: Fix lost RX packet wakeup race in NAPI receive Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 21/30] riscv: Fix auipc+jalr relocation range checks Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 22/30] KVM: arm64: Reset PMC_EL0 to avoid a panic() on systems with no PMU Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 23/30] virtio: unexport virtio_finalize_features Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 24/30] virtio: acknowledge all features before access Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 25/30] ARM: fix Thumb2 regression with Spectre BHB Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 26/30] ext4: add check to prevent attempting to resize an fs with sparse_super2 Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 27/30] btrfs: unlock newly allocated extent buffer after error Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 28/30] sched/topology: Make sched_init_numa() use a set for the deduplicating sort Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 29/30] sched/topology: Fix sched_domain_topology_level alloc in sched_init_numa() Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 30/30] ia64: ensure proper NUMA distance and possible map initialization Greg Kroah-Hartman
2022-03-14 13:58 ` [PATCH 4.19 00/30] 4.19.235-rc1 review Jon Hunter
2022-03-14 14:05 ` Greg Kroah-Hartman
2022-03-14 14:14 ` Jon Hunter
2022-03-14 14:57 ` Greg Kroah-Hartman
2022-03-15 12:14 ` James Morse
2022-03-15 12:28 ` Greg Kroah-Hartman
2022-03-14 14:32 ` Naresh Kamboju
2022-03-14 15:00 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220314112732.330374679@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox