On 28-11-2018 09:20, Pan Bian wrote: > The buffer skb is freed via dev_kfree_skb in a loop. After freeing skb, > the value of packet_count is updated via packet_count++. If packet_count > happens to equal the upper bound (i.e., budget), the loop will be broken > and skb may be assigned to desc_data->state.skb. Resulting that > desc_data->state.skb may point to a freed memory chunk. To fix this, the > patch sets skb to NULL after dev_kfree_skb(skb). > > Signed-off-by: Pan Bian <bianpan2...@163.com>
This is missing the Fixes tag and your patch prefix should be [PATCH net]. Thanks and Best Regards, Jose Miguel Abreu
