On 1/20/21 10:17 AM, Vincent MAILHOL wrote:

On Wed. 20 Jan 2021 à 18:09, Vincent Mailhol [off-list ref] wrote:

quoted

This series fix three bugs which all have the same root cause.

When calling netif_rx(skb) and its variants, the skb will eventually
get consumed (or freed) and thus it is unsafe to dereference it after
the call returns.

This remark especially applies to any variable with aliases the skb
memory which is the case of the can(fd)_frame.

The pattern is as this:
    skb = alloc_can_skb(dev, &cf);
    /* Do stuff */
    netif_rx(skb);
    stats->rx_bytes += cf->len;

Increasing the stats should be done *before* the call to netif_rx()
while the skb is still safe to use.


Changes since v1:
  - fix a silly typo in patch 2/3 (variable len was declared twice...)


Vincent Mailhol (3):
  can: dev: can_restart: fix use after free bug
  can: vxcan: vxcan_xmit: fix use after free bug
  can: peak_usb: fix use after free bugs

 drivers/net/can/dev/dev.c                  | 4 ++--
 drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++----
 drivers/net/can/vxcan.c                    | 6 ++++--
 3 files changed, 10 insertions(+), 8 deletions(-)


base-commit: 1105592cb8fdfcc96f2c9c693ff4106bac5fac7c
--
2.26.2

And of course, I just saw Marc comments just after sending the v2...
Please ignore this message, there will be a v3 rebased on net/master.

I thought something like this.

Please go ahead. I'll wait for your v3.

And sorry for the noise.

No problem.

regards,
Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |