On 1/20/21 10:09 AM, Vincent Mailhol wrote: > This series fix three bugs which all have the same root cause. > > When calling netif_rx(skb) and its variants, the skb will eventually > get consumed (or freed) and thus it is unsafe to dereference it after > the call returns. > > This remark especially applies to any variable with aliases the skb > memory which is the case of the can(fd)_frame. > > The pattern is as this: > skb = alloc_can_skb(dev, &cf); > /* Do stuff */ > netif_rx(skb); > stats->rx_bytes += cf->len; > > Increasing the stats should be done *before* the call to netif_rx() > while the skb is still safe to use. > > > Changes since v1: > - fix a silly typo in patch 2/3 (variable len was declared twice...) > > > Vincent Mailhol (3): > can: dev: can_restart: fix use after free bug > can: vxcan: vxcan_xmit: fix use after free bug > can: peak_usb: fix use after free bugs > > drivers/net/can/dev/dev.c | 4 ++-- > drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++---- > drivers/net/can/vxcan.c | 6 ++++-- > 3 files changed, 10 insertions(+), 8 deletions(-) I'll rebase to net/master and apply to linux-can/testing. regards, Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Attachment:
signature.asc
Description: OpenPGP digital signature
