From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
To: Marc Kleine-Budde <mkl@pengutronix.de>,
Oliver Hartkopp <socketcan@hartkopp.net>,
linux-can@vger.kernel.org
Cc: netdev@vger.kernel.org, Wolfgang Grandegger <wg@grandegger.com>,
Stephane Grosjean <s.grosjean@peak-system.com>,
Loris Fauster <loris.fauster@ttcontrol.com>,
Alejandro Concepcion Rodriguez <alejandro@acoro.eu>,
Dan Carpenter <dan.carpenter@oracle.com>,
Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Subject: [PATCH v4 1/3] can: dev: can_restart: fix use after free bug
Date: Wed, 20 Jan 2021 20:41:35 +0900 [thread overview]
Message-ID: <20210120114137.200019-2-mailhol.vincent@wanadoo.fr> (raw)
In-Reply-To: <20210120114137.200019-1-mailhol.vincent@wanadoo.fr>
After calling netif_rx_ni(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is accessed
after the netif_rx_ni() in:
stats->rx_bytes += cf->len;
Reordering the lines solves the issue.
Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
---
*Remark for upstream*
drivers/net/can/dev.c has been moved to drivers/net/can/dev/dev.c in
below commit, please carry the patch forward.
Reference: 3e77f70e7345 ("can: dev: move driver related infrastructure
into separate subdir")
---
drivers/net/can/dev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
index 3486704c8a95..8b1ae023cb21 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -592,11 +592,11 @@ static void can_restart(struct net_device *dev)
cf->can_id |= CAN_ERR_RESTARTED;
- netif_rx_ni(skb);
-
stats->rx_packets++;
stats->rx_bytes += cf->len;
+ netif_rx_ni(skb);
+
restart:
netdev_dbg(dev, "restarted\n");
priv->can_stats.restarts++;
--
2.26.2
next prev parent reply other threads:[~2021-01-20 12:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-20 11:41 [PATCH v4 0/3] Fix several use after free bugs Vincent Mailhol
2021-01-20 11:41 ` Vincent Mailhol [this message]
2021-01-20 12:53 ` [PATCH v4 1/3] can: dev: can_restart: fix use after free bug Marc Kleine-Budde
2021-01-20 13:30 ` Vincent MAILHOL
2021-01-20 11:41 ` [PATCH v4 2/3] can: vxcan: vxcan_xmit: " Vincent Mailhol
2021-01-20 11:41 ` [PATCH v4 3/3] can: peak_usb: fix use after free bugs Vincent Mailhol
2021-01-20 12:34 ` [PATCH v4 0/3] Fix several " Marc Kleine-Budde
2021-01-20 17:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210120114137.200019-2-mailhol.vincent@wanadoo.fr \
--to=mailhol.vincent@wanadoo.fr \
--cc=alejandro@acoro.eu \
--cc=dan.carpenter@oracle.com \
--cc=linux-can@vger.kernel.org \
--cc=loris.fauster@ttcontrol.com \
--cc=mkl@pengutronix.de \
--cc=netdev@vger.kernel.org \
--cc=s.grosjean@peak-system.com \
--cc=socketcan@hartkopp.net \
--cc=wg@grandegger.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.