]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
projects / thirdparty / kernel / stable-queue.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7c184a1)
Fixes for 4.4
authorSasha Levin <sashal@kernel.org>
Mon, 25 Jan 2021 03:21:30 +0000 (22:21 -0500)
committerSasha Levin <sashal@kernel.org>
Mon, 25 Jan 2021 03:21:30 +0000 (22:21 -0500)
Signed-off-by: Sasha Levin <sashal@kernel.org>
queue-4.4/can-dev-can_restart-fix-use-after-free-bug.patch [new file with mode: 0644] patch | blob
queue-4.4/series patch | blob | blame | history

diff --git a/queue-4.4/can-dev-can_restart-fix-use-after-free-bug.patch b/queue-4.4/can-dev-can_restart-fix-use-after-free-bug.patch
new file mode 100644 (file)
index 0000000..3f9dfa5
--- /dev/null
+++ b/queue-4.4/can-dev-can_restart-fix-use-after-free-bug.patch
@@ -0,0 +1,46 @@
+From e525b9b1cd2f304f9d0cbf412efd421bf0a42b9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jan 2021 20:41:35 +0900
+Subject: can: dev: can_restart: fix use after free bug
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 03f16c5075b22c8902d2af739969e878b0879c94 ]
+
+After calling netif_rx_ni(skb), dereferencing skb is unsafe.
+Especially, the can_frame cf which aliases skb memory is accessed
+after the netif_rx_ni() in:
+      stats->rx_bytes += cf->len;
+
+Reordering the lines solves the issue.
+
+Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
+Link: https://lore.kernel.org/r/20210120114137.200019-2-mailhol.vincent@wanadoo.fr
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index 52110017fd401..45f15ac6b1015 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -525,11 +525,11 @@ static void can_restart(struct net_device *dev)
+       }
+       cf->can_id |= CAN_ERR_RESTARTED;
+-      netif_rx_ni(skb);
+-
+       stats->rx_packets++;
+       stats->rx_bytes += cf->can_dlc;
++      netif_rx_ni(skb);
++
+ restart:
+       netdev_dbg(dev, "restarted\n");
+       priv->can_stats.restarts++;
+-- 
+2.27.0
+
diff --git a/queue-4.4/series b/queue-4.4/series
index 1490fe3cb01979a1e9649ecf798ef482e2dedcba..857e7c93c85c7733a91b2ac845122a855f4e68b6 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -6,3 +6,4 @@ asoc-intel-haswell-add-missing-pm_ops.patch
 scsi-ufs-correct-the-lun-used-in-eh_device_reset_han.patch
 drm-nouveau-bios-fix-issue-shadowing-expansion-roms.patch
 drm-nouveau-i2c-gm200-increase-width-of-aux-semaphor.patch
+can-dev-can_restart-fix-use-after-free-bug.patch
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git