diff mbox series

[v3,1/3] can: dev: can_restart: fix use after free bug

Message ID 20210120102443.198143-2-mailhol.vincent@wanadoo.fr (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series Fix several use after free bugs | expand

Checks

Context Check Description
netdev/tree_selection success Guessing tree name failed - patch did not apply

Commit Message

Vincent Mailhol Jan. 20, 2021, 10:24 a.m. UTC 
After calling netif_rx_ni(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is accessed
after the netif_rx_ni() in:
      stats->rx_bytes += cf->len;

Reordering the lines solves the issue.

*Remark for upstream*
drivers/net/can/dev.c has been moved to drivers/net/can/dev/dev.c in
below commit, please carry the patch forward.
Reference: 3e77f70e7345 ("can: dev: move driver related infrastructure
into separate subdir")

Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
---
 drivers/net/can/dev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Dan Carpenter Jan. 20, 2021, 10:42 a.m. UTC | #1 
On Wed, Jan 20, 2021 at 07:24:41PM +0900, Vincent Mailhol wrote:
> After calling netif_rx_ni(skb), dereferencing skb is unsafe.
> Especially, the can_frame cf which aliases skb memory is accessed
> after the netif_rx_ni() in:
>       stats->rx_bytes += cf->len;
> 
> Reordering the lines solves the issue.
> 
> *Remark for upstream*
> drivers/net/can/dev.c has been moved to drivers/net/can/dev/dev.c in
> below commit, please carry the patch forward.
> Reference: 3e77f70e7345 ("can: dev: move driver related infrastructure
> into separate subdir")

Put these sorts of comments under the --- so that they aren't included
in the permanent git log.

> 
> Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
> Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
> ---
  ^^^

comment below this line are removed from the git log.

>  drivers/net/can/dev.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 

regards,
dan carpenter
diff mbox series

Patch

diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
index 3486704c8a95..8b1ae023cb21 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -592,11 +592,11 @@  static void can_restart(struct net_device *dev)
 
 	cf->can_id |= CAN_ERR_RESTARTED;
 
-	netif_rx_ni(skb);
-
 	stats->rx_packets++;
 	stats->rx_bytes += cf->len;
 
+	netif_rx_ni(skb);
+
 restart:
 	netdev_dbg(dev, "restarted\n");
 	priv->can_stats.restarts++;