Patch "can: m_can: m_can_tx_handler(): fix use after free of skb" has been added to the 4.19-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Tue, 19 Jul 2022 13:40:11 +0200

This is a note to let you know that I've just added the patch titled

    can: m_can: m_can_tx_handler(): fix use after free of skb

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     can-m_can-m_can_tx_handler-fix-use-after-free-of-skb.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From foo@baz Tue Jul 19 01:38:52 PM CEST 2022
From: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
Date: Thu, 17 Mar 2022 08:57:35 +0100
Subject: can: m_can: m_can_tx_handler(): fix use after free of skb

From: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>

commit 2e8e79c416aae1de224c0f1860f2e3350fa171f8 upstream.

can_put_echo_skb() will clone skb then free the skb. Move the
can_put_echo_skb() for the m_can version 3.0.x directly before the
start of the xmit in hardware, similar to the 3.1.x branch.

Fixes: 80646733f11c ("can: m_can: update to support CAN FD features")
Link: https://lore.kernel.org/all/20220317081305.739554-1-mkl@xxxxxxxxxxxxxx
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Hangyu Hua <hbh25y@xxxxxxxxx>
Signed-off-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
[sudip: adjust context]
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/net/can/m_can/m_can.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/net/can/m_can/m_can.c
+++ b/drivers/net/can/m_can/m_can.c
@@ -1438,8 +1438,6 @@ static netdev_tx_t m_can_start_xmit(stru
 					 M_CAN_FIFO_DATA(i / 4),
 					 *(u32 *)(cf->data + i));
 
-		can_put_echo_skb(skb, dev, 0);
-
 		if (priv->can.ctrlmode & CAN_CTRLMODE_FD) {
 			cccr = m_can_read(priv, M_CAN_CCCR);
 			cccr &= ~(CCCR_CMR_MASK << CCCR_CMR_SHIFT);
@@ -1456,6 +1454,9 @@ static netdev_tx_t m_can_start_xmit(stru
 			m_can_write(priv, M_CAN_CCCR, cccr);
 		}
 		m_can_write(priv, M_CAN_TXBTIE, 0x1);
+
+		can_put_echo_skb(skb, dev, 0);
+
 		m_can_write(priv, M_CAN_TXBAR, 0x1);
 		/* End of xmit function for version 3.0.x */
 	} else {


Patches currently in stable-queue which might be from mkl@xxxxxxxxxxxxxx are

queue-4.19/can-m_can-m_can_tx_handler-fix-use-after-free-of-skb.patch






