net: qualcomm: rmnet: Fix use after free while sending command ack (2a3d83c1) · Commits · e / devices / android_kernel_oneplus_sm8150

When sending an ack to a command packet, the skb is still referenced after it is sent to the real device. Since the real device could free the skb, the device pointer would be invalid. Also, remove an unnecessary variable. CRs-Fixed: 2233026 Change-Id: I79baf20b52a51041d2d1a4da73a70fb4b320544e Fixes: ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation") Signed-off-by:

David S. Miller <davem@davemloft.net> Git-commit: Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Signed-off-by:

Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>

drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -67,7 +67,7 @@ static void rmnet_map_send_ack(struct sk_buff *skb,
		struct rmnet_port *port)
		{
		struct rmnet_map_control_command *cmd;
		int xmit_status;
		struct net_device *dev = skb->dev;

		if (port->data_format & RMNET_FLAGS_INGRESS_MAP_CKSUMV4)
		skb_trim(skb,
		@@ -78,9 +78,9 @@ static void rmnet_map_send_ack(struct sk_buff *skb,
		cmd = RMNET_MAP_GET_CMD_START(skb);
		cmd->cmd_type = type & 0x03;

		netif_tx_lock(skb->dev);
		xmit_status = skb->dev->netdev_ops->ndo_start_xmit(skb, skb->dev);
		netif_tx_unlock(skb->dev);
		netif_tx_lock(dev);
		dev->netdev_ops->ndo_start_xmit(skb, dev);
		netif_tx_unlock(dev);
		}

		/* Process MAP command frame and send N/ACK message as appropriate. Message cmd