diff mbox series

[net,1/3] can: dev: can_restart: fix use after free bug

Message ID 20210120125202.2187358-2-mkl@pengutronix.de (mailing list archive)
State Accepted
Commit 03f16c5075b22c8902d2af739969e878b0879c94
Delegated to: Netdev Maintainers
Headers show
Series [net,1/3] can: dev: can_restart: fix use after free bug | expand

Checks

Context Check Description
netdev/apply success Patch already applied to net
netdev/tree_selection success Clearly marked for net

Commit Message

Marc Kleine-Budde Jan. 20, 2021, 12:52 p.m. UTC 
From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>

After calling netif_rx_ni(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is accessed
after the netif_rx_ni() in:
      stats->rx_bytes += cf->len;

Reordering the lines solves the issue.

Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
Link: https://lore.kernel.org/r/20210120114137.200019-2-mailhol.vincent@wanadoo.fr
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/dev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


base-commit: 9c30ae8398b0813e237bde387d67a7f74ab2db2d

Comments

patchwork-bot+netdevbpf@kernel.org Jan. 20, 2021, 8:40 p.m. UTC | #1 
Hello:

This series was applied to netdev/net-next.git (refs/heads/master):

On Wed, 20 Jan 2021 13:52:00 +0100 you wrote:
> From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
> 
> After calling netif_rx_ni(skb), dereferencing skb is unsafe.
> Especially, the can_frame cf which aliases skb memory is accessed
> after the netif_rx_ni() in:
>       stats->rx_bytes += cf->len;
> 
> [...]

Here is the summary with links:
  - [net,1/3] can: dev: can_restart: fix use after free bug
    https://git.kernel.org/netdev/net-next/c/03f16c5075b2
  - [net,2/3] can: vxcan: vxcan_xmit: fix use after free bug
    https://git.kernel.org/netdev/net-next/c/75854cad5d80
  - [net,3/3] can: peak_usb: fix use after free bugs
    https://git.kernel.org/netdev/net-next/c/50aca891d7a5

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
diff mbox series

Patch

diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
index 3486704c8a95..8b1ae023cb21 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -592,11 +592,11 @@  static void can_restart(struct net_device *dev)
 
 	cf->can_id |= CAN_ERR_RESTARTED;
 
-	netif_rx_ni(skb);
-
 	stats->rx_packets++;
 	stats->rx_bytes += cf->len;
 
+	netif_rx_ni(skb);
+
 restart:
 	netdev_dbg(dev, "restarted\n");
 	priv->can_stats.restarts++;