Commit 535d3159 authored by Jakub Kicinski's avatar Jakub Kicinski

Merge tag 'linux-can-fixes-for-5.11-20210120' of...

Merge tag 'linux-can-fixes-for-5.11-20210120' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
linux-can-fixes-for-5.11-20210120

All three patches are by Vincent Mailhol and fix a potential use after free bug
in the CAN device infrastructure, the vxcan driver, and the peak_usk driver. In
the TX-path the skb is used to read from after it was passed to the networking
stack with netif_rx_ni().

* tag 'linux-can-fixes-for-5.11-20210120' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
  can: peak_usb: fix use after free bugs
  can: vxcan: vxcan_xmit: fix use after free bug
  can: dev: can_restart: fix use after free bug
====================

Link: https://lore.kernel.org/r/20210120125202.2187358-1-mkl@pengutronix.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 0c630a66 50aca891
...@@ -592,11 +592,11 @@ static void can_restart(struct net_device *dev) ...@@ -592,11 +592,11 @@ static void can_restart(struct net_device *dev)
cf->can_id |= CAN_ERR_RESTARTED; cf->can_id |= CAN_ERR_RESTARTED;
netif_rx_ni(skb);
stats->rx_packets++; stats->rx_packets++;
stats->rx_bytes += cf->len; stats->rx_bytes += cf->len;
netif_rx_ni(skb);
restart: restart:
netdev_dbg(dev, "restarted\n"); netdev_dbg(dev, "restarted\n");
priv->can_stats.restarts++; priv->can_stats.restarts++;
......
...@@ -514,11 +514,11 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if, ...@@ -514,11 +514,11 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if,
else else
memcpy(cfd->data, rm->d, cfd->len); memcpy(cfd->data, rm->d, cfd->len);
peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low));
netdev->stats.rx_packets++; netdev->stats.rx_packets++;
netdev->stats.rx_bytes += cfd->len; netdev->stats.rx_bytes += cfd->len;
peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low));
return 0; return 0;
} }
...@@ -580,11 +580,11 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if, ...@@ -580,11 +580,11 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if,
if (!skb) if (!skb)
return -ENOMEM; return -ENOMEM;
peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low));
netdev->stats.rx_packets++; netdev->stats.rx_packets++;
netdev->stats.rx_bytes += cf->len; netdev->stats.rx_bytes += cf->len;
peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low));
return 0; return 0;
} }
......
...@@ -39,6 +39,7 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev) ...@@ -39,6 +39,7 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev)
struct net_device *peer; struct net_device *peer;
struct canfd_frame *cfd = (struct canfd_frame *)skb->data; struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
struct net_device_stats *peerstats, *srcstats = &dev->stats; struct net_device_stats *peerstats, *srcstats = &dev->stats;
u8 len;
if (can_dropped_invalid_skb(dev, skb)) if (can_dropped_invalid_skb(dev, skb))
return NETDEV_TX_OK; return NETDEV_TX_OK;
...@@ -61,12 +62,13 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev) ...@@ -61,12 +62,13 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev)
skb->dev = peer; skb->dev = peer;
skb->ip_summed = CHECKSUM_UNNECESSARY; skb->ip_summed = CHECKSUM_UNNECESSARY;
len = cfd->len;
if (netif_rx_ni(skb) == NET_RX_SUCCESS) { if (netif_rx_ni(skb) == NET_RX_SUCCESS) {
srcstats->tx_packets++; srcstats->tx_packets++;
srcstats->tx_bytes += cfd->len; srcstats->tx_bytes += len;
peerstats = &peer->stats; peerstats = &peer->stats;
peerstats->rx_packets++; peerstats->rx_packets++;
peerstats->rx_bytes += cfd->len; peerstats->rx_bytes += len;
} }
out_unlock: out_unlock:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment