From mboxrd@z Thu Jan  1 00:00:00 1970
From: Pan Bian <bianpan2016@163.com>
Subject: [PATCH] amd-xgbe: set skb to NULL after freeing it
Date: Wed, 28 Nov 2018 16:09:45 +0800
Message-ID: <1543392585-17962-1-git-send-email-bianpan2016@163.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        Pan Bian <bianpan2016@163.com>
To: Tom Lendacky <thomas.lendacky@amd.com>,
        "David S. Miller" <davem@davemloft.net>
Return-path: <linux-kernel-owner@vger.kernel.org>
Sender: linux-kernel-owner@vger.kernel.org
List-Id: netdev.vger.kernel.org

The buffer skb is freed via dev_kfree_skb in a loop. skb may be used
again in the next iteration, resulting in a use-after-free bug. To fix
this, the patch set skb to NULL after dev_kfree_skb(skb).

Signed-off-by: Pan Bian <bianpan2016@163.com>
---
 drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
index 0cc911f..ac6b82d 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -2754,6 +2754,7 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
 				netif_err(pdata, rx_err, netdev,
 					  "error in received packet\n");
 			dev_kfree_skb(skb);
+			skb = NULL;
 			goto next_packet;
 		}
 
@@ -2806,6 +2807,7 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
 			netif_err(pdata, rx_err, netdev,
 				  "packet length exceeds configured MTU\n");
 			dev_kfree_skb(skb);
+			skb = NULL;
 			goto next_packet;
 		}
 
-- 
2.7.4