From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Miller <davem@davemloft.net>
Subject: Re: [PATCH] rapidio/rionet: do not free skb before reading its
 length
Date: Wed, 28 Nov 2018 10:41:58 -0800 (PST)
Message-ID: <20181128.104158.314372136288891394.davem@davemloft.net>
References: <1543387999-115433-1-git-send-email-bianpan2016@163.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        alexandre.bounine@idt.com
To: bianpan2016@163.com
Return-path: <linux-kernel-owner@vger.kernel.org>
In-Reply-To: <1543387999-115433-1-git-send-email-bianpan2016@163.com>
Sender: linux-kernel-owner@vger.kernel.org
List-Id: netdev.vger.kernel.org

From: Pan Bian <bianpan2016@163.com>
Date: Wed, 28 Nov 2018 14:53:19 +0800

> skb is freed via dev_kfree_skb_any, however, skb->len is read then. This
> may result in a use-after-free bug.
> 
> Fixes: e6161d64263 ("rapidio/rionet: rework driver initialization and removal")
> Signed-off-by: Pan Bian <bianpan2016@163.com>

Applied and queued up for -stable.