On 1/20/21 10:17 AM, Vincent MAILHOL wrote: > On Wed. 20 Jan 2021 à 18:09, Vincent Mailhol <mailhol.vincent@xxxxxxxxxx> wrote: >> This series fix three bugs which all have the same root cause. >> >> When calling netif_rx(skb) and its variants, the skb will eventually >> get consumed (or freed) and thus it is unsafe to dereference it after >> the call returns. >> >> This remark especially applies to any variable with aliases the skb >> memory which is the case of the can(fd)_frame. >> >> The pattern is as this: >> skb = alloc_can_skb(dev, &cf); >> /* Do stuff */ >> netif_rx(skb); >> stats->rx_bytes += cf->len; >> >> Increasing the stats should be done *before* the call to netif_rx() >> while the skb is still safe to use. >> >> >> Changes since v1: >> - fix a silly typo in patch 2/3 (variable len was declared twice...) >> >> >> Vincent Mailhol (3): >> can: dev: can_restart: fix use after free bug >> can: vxcan: vxcan_xmit: fix use after free bug >> can: peak_usb: fix use after free bugs >> >> drivers/net/can/dev/dev.c | 4 ++-- >> drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++---- >> drivers/net/can/vxcan.c | 6 ++++-- >> 3 files changed, 10 insertions(+), 8 deletions(-) >> >> >> base-commit: 1105592cb8fdfcc96f2c9c693ff4106bac5fac7c >> -- >> 2.26.2 > > And of course, I just saw Marc comments just after sending the v2... > Please ignore this message, there will be a v3 rebased on net/master. I thought something like this. Please go ahead. I'll wait for your v3. > And sorry for the noise. No problem. regards, Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Attachment:
signature.asc
Description: OpenPGP digital signature
