Thread (8 messages) 8 messages, 3 authors, 2021-01-20

Re: [PATCH 0/3] Fix several use after free bugs.

From: Marc Kleine-Budde <mkl@pengutronix.de>
Date: 2021-01-20 08:55:53 

On Wed, Jan 20, 2021 at 01:25:09AM +0900, Vincent Mailhol wrote:
This series fix three bugs which all have the same root cause.

When calling netif_rx(skb) and its variants, the skb will eventually
get consumed (or freed) and thus it is unsafe to dereference it after
the call returns.

This remark especially applies to any variable with aliases the skb
memory which is the case of the can(fd)_frame.

The pattern is as this:
    skb = alloc_can_skb(dev, &cf);
    /* Do stuff */
    netif_rx(skb);
    stats->rx_bytes += cf->len;

Increasing the stats should be done *before* the call to netif_rx()
while the skb is still safe to use.

Vincent Mailhol (3):
  can: dev: can_restart: fix use after free bug
  can: vxcan: vxcan_xmit: fix use after free bug
  can: peak_usb: fix use after free bugs

 drivers/net/can/dev/dev.c                  | 4 ++--
 drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++----
 drivers/net/can/vxcan.c                    | 6 ++++--
 3 files changed, 10 insertions(+), 8 deletions(-)


base-commit: 1105592cb8fdfcc96f2c9c693ff4106bac5fac7c
prerequisite-patch-id: d9d54d9159b70a5ef179d19d5add20caffbae638
As this are fixes, this should go into net/master (and then be be backported to
the stable kernels). Please rebase to net/master.

Of course there will be a merge conflict, when net-next and net are merged, due
to the moving and splitting of dev.c. You anticipated this and made noted that
as a prerequisite. (BTW: I don't find a commit for
d9d54d9159b70a5ef179d19d5add20caffbae638).

The kernel way to deal with this is to inform the upstream of the problem. A
trivial merge conflict, can be I think described in words, like: "The dev.c
file has been moved, carry the patch forward." I don't know the procedure for
more complicated merges :)

regards,
Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |

Attachments

Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help