On 1/20/21 12:41 PM, Vincent Mailhol wrote: > This series fix three bugs which all have the same root cause. > > When calling netif_rx(skb) and its variants, the skb will eventually > get consumed (or freed) and thus it is unsafe to dereference it after > the call returns. > > This remark especially applies to any variable with aliases the skb > memory which is the case of the can(fd)_frame. > > The pattern is as this: > skb = alloc_can_skb(dev, &cf); > /* Do stuff */ > netif_rx(skb); > stats->rx_bytes += cf->len; > > Increasing the stats should be done *before* the call to netif_rx() > while the skb is still safe to use. > > Changes since v3: > - Patch 1/3: move the comments for upstream after the --- scissors > > Changes since v2: > - rebase on net/master > - Patch 1/3: Added a comment towards upstream to inform about a > conflict which will occur when net-next and net are merged > Ref: https://lore.kernel.org/linux-can/20210120085356.m7nabbw5zhy7prpo@xxxxxxxxxxxxxxxxxxxxxxxx/ > > Changes since v1: > - fix a silly typo in patch 2/3 (variable len was declared twice...) > > Vincent Mailhol (3): > can: dev: can_restart: fix use after free bug > can: vxcan: vxcan_xmit: fix use after free bug > can: peak_usb: fix use after free bugs > > drivers/net/can/dev.c | 4 ++-- > drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++---- > drivers/net/can/vxcan.c | 6 ++++-- > 3 files changed, 10 insertions(+), 8 deletions(-) Applied to linux-can-testing. I don't know why 2/3 hasn't made it to the mail archive yet. Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Attachment:
signature.asc
Description: OpenPGP digital signature
