From dd380f027e91d8f314a4154af49bbf91c108f879 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Sun, 24 Jan 2021 22:21:30 -0500
Subject: [PATCH] Fixes for 4.4

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...v-can_restart-fix-use-after-free-bug.patch | 46 +++++++++++++++++++
 queue-4.4/series                              |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 queue-4.4/can-dev-can_restart-fix-use-after-free-bug.patch

diff --git a/queue-4.4/can-dev-can_restart-fix-use-after-free-bug.patch b/queue-4.4/can-dev-can_restart-fix-use-after-free-bug.patch
new file mode 100644
index 00000000000..3f9dfa58419
--- /dev/null
+++ b/queue-4.4/can-dev-can_restart-fix-use-after-free-bug.patch
@@ -0,0 +1,46 @@
+From e525b9b1cd2f304f9d0cbf412efd421bf0a42b9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jan 2021 20:41:35 +0900
+Subject: can: dev: can_restart: fix use after free bug
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 03f16c5075b22c8902d2af739969e878b0879c94 ]
+
+After calling netif_rx_ni(skb), dereferencing skb is unsafe.
+Especially, the can_frame cf which aliases skb memory is accessed
+after the netif_rx_ni() in:
+      stats->rx_bytes += cf->len;
+
+Reordering the lines solves the issue.
+
+Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
+Link: https://lore.kernel.org/r/20210120114137.200019-2-mailhol.vincent@wanadoo.fr
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index 52110017fd401..45f15ac6b1015 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -525,11 +525,11 @@ static void can_restart(struct net_device *dev)
+ 	}
+ 	cf->can_id |= CAN_ERR_RESTARTED;
+ 
+-	netif_rx_ni(skb);
+-
+ 	stats->rx_packets++;
+ 	stats->rx_bytes += cf->can_dlc;
+ 
++	netif_rx_ni(skb);
++
+ restart:
+ 	netdev_dbg(dev, "restarted\n");
+ 	priv->can_stats.restarts++;
+-- 
+2.27.0
+
diff --git a/queue-4.4/series b/queue-4.4/series
index 1490fe3cb01..857e7c93c85 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -6,3 +6,4 @@ asoc-intel-haswell-add-missing-pm_ops.patch
 scsi-ufs-correct-the-lun-used-in-eh_device_reset_han.patch
 drm-nouveau-bios-fix-issue-shadowing-expansion-roms.patch
 drm-nouveau-i2c-gm200-increase-width-of-aux-semaphor.patch
+can-dev-can_restart-fix-use-after-free-bug.patch
-- 
2.47.3