linux-can-fixes-for-5.11-20210120

-----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEK3kIWJt9yTYMP3ehqclaivrt76kFAmAII5ITHG1rbEBwZW5n
 dXRyb25peC5kZQAKCRCpyVqK+u3vqQyJB/9igHNraXi8aRWiNuhFE8cxB3ye4BBO
 HtM74BXkmAXPiW2WUQ/yjZA2JMMe09qvculls0nDzpvnigxlNdO/oDELY8ezBB9C
 NWH6D8D/LADHWJY8nzzmGVvhLoB+X2Jpdq+89XTghMjuv6kmDtg+3sBaeYjd3R5I
 1EOS0IPzQteS8DX11BRRzG+UWRWVmMdbk9bCLkRXSzj5H9LyKecXuyo7vSCLEHeC
 yyDz8TMtFv5fg/7rITHfT+zowf09qliE1Qhl+Pf7DioUIkrDvf4Lqhrs9mMXMZTq
 NV+p1sX+IrCnC2O34jl4/8UYe+o9j/vSy1osKoiF4DAsb1+chxNtqSnH
 =wV6c
 -----END PGP SIGNATURE-----

Merge tag 'linux-can-fixes-for-5.11-20210120' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
linux-can-fixes-for-5.11-20210120

All three patches are by Vincent Mailhol and fix a potential use after free bug
in the CAN device infrastructure, the vxcan driver, and the peak_usk driver. In
the TX-path the skb is used to read from after it was passed to the networking
stack with netif_rx_ni().

* tag 'linux-can-fixes-for-5.11-20210120' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
  can: peak_usb: fix use after free bugs
  can: vxcan: vxcan_xmit: fix use after free bug
  can: dev: can_restart: fix use after free bug
====================

Link: https://lore.kernel.org/r/20210120125202.2187358-1-mkl@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski 2021-01-20 09:16:01 -08:00
commit 535d31593f
3 changed files with 10 additions and 8 deletions

View File

@ -592,11 +592,11 @@ static void can_restart(struct net_device *dev)
cf->can_id |= CAN_ERR_RESTARTED; cf->can_id |= CAN_ERR_RESTARTED;
netif_rx_ni(skb);
stats->rx_packets++; stats->rx_packets++;
stats->rx_bytes += cf->len; stats->rx_bytes += cf->len;
netif_rx_ni(skb);
restart: restart:
netdev_dbg(dev, "restarted\n"); netdev_dbg(dev, "restarted\n");
priv->can_stats.restarts++; priv->can_stats.restarts++;

View File

@ -514,11 +514,11 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if,
else else
memcpy(cfd->data, rm->d, cfd->len); memcpy(cfd->data, rm->d, cfd->len);
peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low));
netdev->stats.rx_packets++; netdev->stats.rx_packets++;
netdev->stats.rx_bytes += cfd->len; netdev->stats.rx_bytes += cfd->len;
peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low));
return 0; return 0;
} }
@ -580,11 +580,11 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if,
if (!skb) if (!skb)
return -ENOMEM; return -ENOMEM;
peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low));
netdev->stats.rx_packets++; netdev->stats.rx_packets++;
netdev->stats.rx_bytes += cf->len; netdev->stats.rx_bytes += cf->len;
peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low));
return 0; return 0;
} }

View File

@ -39,6 +39,7 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev)
struct net_device *peer; struct net_device *peer;
struct canfd_frame *cfd = (struct canfd_frame *)skb->data; struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
struct net_device_stats *peerstats, *srcstats = &dev->stats; struct net_device_stats *peerstats, *srcstats = &dev->stats;
u8 len;
if (can_dropped_invalid_skb(dev, skb)) if (can_dropped_invalid_skb(dev, skb))
return NETDEV_TX_OK; return NETDEV_TX_OK;
@ -61,12 +62,13 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev)
skb->dev = peer; skb->dev = peer;
skb->ip_summed = CHECKSUM_UNNECESSARY; skb->ip_summed = CHECKSUM_UNNECESSARY;
len = cfd->len;
if (netif_rx_ni(skb) == NET_RX_SUCCESS) { if (netif_rx_ni(skb) == NET_RX_SUCCESS) {
srcstats->tx_packets++; srcstats->tx_packets++;
srcstats->tx_bytes += cfd->len; srcstats->tx_bytes += len;
peerstats = &peer->stats; peerstats = &peer->stats;
peerstats->rx_packets++; peerstats->rx_packets++;
peerstats->rx_bytes += cfd->len; peerstats->rx_bytes += len;
} }
out_unlock: out_unlock: