net: qualcomm: rmnet: Fix use after free while sending command ack

When sending an ack to a command packet, the skb is still referenced
after it is sent to the real device. Since the real device could
free the skb, the device pointer would be invalid.
Also, remove an unnecessary variable.

Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c
index 56a93df962e6a66c83653e720b4c4571679fdb73..3ee8ae9b68387318a71a599af5e34a19f48a5c6c 100644 (file)
--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c
+++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c
@@ -67,7 +67,7 @@ static void rmnet_map_send_ack(struct sk_buff *skb,
                               struct rmnet_port *port)
 {
        struct rmnet_map_control_command *cmd;
-       int xmit_status;
+       struct net_device *dev = skb->dev;
 
        if (port->data_format & RMNET_FLAGS_INGRESS_MAP_CKSUMV4)
                skb_trim(skb,
@@ -78,9 +78,9 @@ static void rmnet_map_send_ack(struct sk_buff *skb,
        cmd = RMNET_MAP_GET_CMD_START(skb);
        cmd->cmd_type = type & 0x03;
 
-       netif_tx_lock(skb->dev);
-       xmit_status = skb->dev->netdev_ops->ndo_start_xmit(skb, skb->dev);
-       netif_tx_unlock(skb->dev);
+       netif_tx_lock(dev);
+       dev->netdev_ops->ndo_start_xmit(skb, dev);
+       netif_tx_unlock(dev);
 }
 
 /* Process MAP command frame and send N/ACK message as appropriate. Message cmd