Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp799172imu;
        Tue, 27 Nov 2018 22:56:08 -0800 (PST)
X-Google-Smtp-Source: AFSGD/U39sj+8lZcIt0HSnfK21/Hor1MgNYsdCtPSu1l6j5uWuXtu0EXL6fupMrr7RiDdT3xV3Dx
X-Received: by 2002:a62:2c81:: with SMTP id s123mr32531575pfs.174.1543388168232;
        Tue, 27 Nov 2018 22:56:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543388168; cv=none;
        d=google.com; s=arc-20160816;
        b=02sKFcb2bDD02geXYS2nXfOyQCuDo7LR6RcLPGWLlIDyfiDJNxxkcGX8wT8B6W0gOw
         oblL/EN7OBXKHaOxQLfOQi3wpuT0AMr8Nirv9PkzCifSnclfCnsaEqXPk6LNYJn9QhzX
         6fvehbo4T0caFppGDpM0qk0IIFvmCZjBKWwDKxHxk4AYDkTCy9TMcg2NkssKnnITj1Tv
         7XPD3SIAwByqDlyS4R24gr3s010tmqLP9hFXCcxZ+X0iQ7kYZSS+Bp/xFI+sC6TWjzHH
         DJOESkYIogdLXkldE6tpoLbsXWQU2c5AwpprXE60oeElv2rjx1FprrVoVhSoAfo99FC+
         KF4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=Pggwhj1fBXnFvLoo9Xa6KiblLoMCJt+kMhaTX3GV/iI=;
        b=PuYlpCFqWIxOiPPQiOvyRAHHZ2F5yDQbuYpyEB/1zJJ9brMUIYxDBsX3EIu4ZtWVOl
         3Gk7XUnWjoiMxRtbK48FkC5QPYBZyRrSqdUvzTXH5FYIsldoPVwei2hYdQ6guEi7RUKu
         n9u3K5QbV9hLekKyZhVo6dvLiSWG+A8QDi0Gcr/WGWKEABXbUBYQtmFDdoTdM/U9gfib
         OERlyWc8dpYdmZBF9WhJyuCNAZqWhV0MvxjAUCGhJPVcCwSRX8AAoCsPClcl4Hp/N83E
         QF1LS6JTrcMtpGpxVTYJkmFBnJ2NyB/bahUkSZqu2oJfSDEnWr7z9BqIB83g38D4d+oW
         o1Aw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@163.com header.s=s110527 header.b="aCL/JicF";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id bb4si6262581plb.322.2018.11.27.22.55.50;
        Tue, 27 Nov 2018 22:56:08 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@163.com header.s=s110527 header.b="aCL/JicF";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727390AbeK1Ryb (ORCPT <rfc822;xiaochao379261131@gmail.com>
        + 99 others); Wed, 28 Nov 2018 12:54:31 -0500
Received: from m12-16.163.com ([220.181.12.16]:35409 "EHLO m12-16.163.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727107AbeK1Ryb (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 28 Nov 2018 12:54:31 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
        s=s110527; h=From:Subject:Date:Message-Id; bh=Pggwhj1fBXnFvLoo9X
        a6KiblLoMCJt+kMhaTX3GV/iI=; b=aCL/JicFDbMyWKCml8yJGDrY6grESNOKF/
        imwrrEBS2veKNDmrnO4/R1wSlmQ198WviiD0VDHSZ92Nz8YLFY+9GjvG8aXoqp3H
        wBAwVlbrOdsB1S1UC2B4cxTa2x/sLO6BXv4b4EnSTQUzfZSkn8LWPK7hSro6bQPw
        ztvvH6b+o=
Received: from bp.localdomain (unknown [106.120.213.96])
        by smtp12 (Coremail) with SMTP id EMCowAAHATVeO_5bmYpKAQ--.19291S3;
        Wed, 28 Nov 2018 14:53:28 +0800 (CST)
From:   Pan Bian <bianpan2016@163.com>
To:     "David S. Miller" <davem@davemloft.net>
Cc:     netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        Alexandre Bounine <alexandre.bounine@idt.com>,
        Pan Bian <bianpan2016@163.com>
Subject: [PATCH] rapidio/rionet: do not free skb before reading its length
Date:   Wed, 28 Nov 2018 14:53:19 +0800
Message-Id: <1543387999-115433-1-git-send-email-bianpan2016@163.com>
X-Mailer: git-send-email 2.7.4
X-CM-TRANSID: EMCowAAHATVeO_5bmYpKAQ--.19291S3
X-Coremail-Antispam: 1Uf129KBjvdXoW7JrykJw4rJF15ZFW7AF1fWFg_yoW3Zwc_uF
        10ganrW345Grs09w15Jw4fXryFkrs8XFW8uw1Sqr9Iya47Gr97ZwsavrsxGr93ur4xWF9x
        GFyxtr1xAa4YqjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
        9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IU0JCztUUUUU==
X-Originating-IP: [106.120.213.96]
X-CM-SenderInfo: held01tdqsiiqw6rljoofrz/1tbiVBYNclUMGMCUKwAAsD
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

skb is freed via dev_kfree_skb_any, however, skb->len is read then. This
may result in a use-after-free bug.

Fixes: e6161d64263 ("rapidio/rionet: rework driver initialization and removal")
Signed-off-by: Pan Bian <bianpan2016@163.com>
---
 drivers/net/rionet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/rionet.c b/drivers/net/rionet.c
index e9f101c..bfbb39f 100644
--- a/drivers/net/rionet.c
+++ b/drivers/net/rionet.c
@@ -216,9 +216,9 @@ static int rionet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
 			 * it just report sending a packet to the target
 			 * (without actual packet transfer).
 			 */
-			dev_kfree_skb_any(skb);
 			ndev->stats.tx_packets++;
 			ndev->stats.tx_bytes += skb->len;
+			dev_kfree_skb_any(skb);
 		}
 	}
 
-- 
2.7.4