mctp i2c: Fix potential use-after-free

The skb is handed off to netif_rx() which may free it.
Found by Smatch.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c
index 365c3df..470682c 100644 (file)
--- a/drivers/net/mctp/mctp-i2c.c
+++ b/drivers/net/mctp/mctp-i2c.c
@@ -338,7 +338,7 @@ static int mctp_i2c_recv(struct mctp_i2c_dev *midev)
 
        if (status == NET_RX_SUCCESS) {
                ndev->stats.rx_packets++;
-               ndev->stats.rx_bytes += skb->len;
+               ndev->stats.rx_bytes += recvlen;
        } else {
                ndev->stats.rx_dropped++;
        }