On Tue, 2 Jul 2024 17:08:37 -0400 Radu Rendec wrote: > The use-after-free is actually in rswitch_tx_free(), which is inlined in > rswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the > same pointer, the skb is first freed using dev_kfree_skb_any(), then the > value in skb->len is used to update the interface statistics. > > Let's move around the instructions to use skb->len before the skb is > freed. > > This bug is trivial to reproduce using KFENCE. It will trigger a splat > every few packets. A simple ARP request or ICMP echo request is enough. Please remember to add a Fixes tag in the future. I added one when applying.
