This is a note to let you know that I've just added the patch titled can: pch_can: pch_can_rx_normal: fix use after free to the 5.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: can-pch_can-pch_can_rx_normal-fix-use-after-free.patch and it can be found in the queue-5.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 94cddf1e9227a171b27292509d59691819c458db Mon Sep 17 00:00:00 2001 From: Vincent Mailhol <mailhol.vincent@xxxxxxxxxx> Date: Tue, 23 Nov 2021 20:16:54 +0900 Subject: can: pch_can: pch_can_rx_normal: fix use after free From: Vincent Mailhol <mailhol.vincent@xxxxxxxxxx> commit 94cddf1e9227a171b27292509d59691819c458db upstream. After calling netif_receive_skb(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is dereferenced just after the call netif_receive_skb(skb). Reordering the lines solves the issue. Fixes: b21d18b51b31 ("can: Topcliff: Add PCH_CAN driver.") Link: https://lore.kernel.org/all/20211123111654.621610-1-mailhol.vincent@xxxxxxxxxx Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Vincent Mailhol <mailhol.vincent@xxxxxxxxxx> Signed-off-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/net/can/pch_can.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/can/pch_can.c +++ b/drivers/net/can/pch_can.c @@ -692,11 +692,11 @@ static int pch_can_rx_normal(struct net_ cf->data[i + 1] = data_reg >> 8; } - netif_receive_skb(skb); rcv_pkts++; stats->rx_packets++; quota--; stats->rx_bytes += cf->len; + netif_receive_skb(skb); pch_fifo_thresh(priv, obj_num); obj_num++; Patches currently in stable-queue which might be from mailhol.vincent@xxxxxxxxxx are queue-5.15/can-pch_can-pch_can_rx_normal-fix-use-after-free.patch queue-5.15/can-m_can-m_can_read_fifo-fix-memory-leak-in-error-branch.patch