Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4330950pxb; Tue, 26 Jan 2021 19:53:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJxWkkAaIGiRQDv0TgcsUIoD3OGXJbg0xABj8/S5A4iuPJumTUwXc3T+PaYRKuEpApbswZRP X-Received: by 2002:a05:6402:1655:: with SMTP id s21mr6885157edx.360.1611719630134; Tue, 26 Jan 2021 19:53:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611719630; cv=none; d=google.com; s=arc-20160816; b=pche0GznqmldbHfoZHc+UcLsYQR0iBHBotb/RPEeI4uHNAPXjN6dXguq5AGgk5ySdb Qyj5sB0vyrSnWLUnYc6GIEhtqHsE98Syd1xxvKps3z/qMbPtmnmxFcwdte/LwO6KnT+E B0OfVYFR0Qcx/14/i2cGq5yS7xZEqUgZfcm4/Jvw7O7QyTDGgxokU6rKEm/XkxisJU/z WrcQYGCbJrhWiSF1eZm2heq2ntktFTdFMVzLICMbiJriXLSir8e1IEvos2LohEp7QCRz 0cvyenDDsA41onfnKYLU7j+a405uGkN6+Obff1cCi/AqPHC1KvbB1gNiiE8VpOJBOV8f 8uWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=IWFvdmdGoeMK7oUQOng1kziTHL/1bhDr+Q/QecJnutM=; b=pSCQ/7nYqgklcRtKQoLewexf3L/nvU/GAIWx2IqN257p4EUBfYrSs53vHs+HiCNbEO raWVHrvYdWpCr95/Wurukd9CV4ns9H2i4FT+33Oe5g2HSn/jsMkbxZR4MLSi4XONxoKk Vu5UeczS0JrqFsppoOlclmtpp/jPYy309ZVKbePMRD1OejhMVan1YI+SlbNsba0MdZTM 0Vyt8PxkopQ3yMtbtnjIxNa2PeIr/V5i5PEjPVcVcHGUlDACzet3ACX8HRbD/5FfblQ2 e1doyAreyk1XXDXFJlKet0aErDUeY2t2nlzk+NfU8FWktH6KJBVzyN7VNqjoh7V+mdPI gdfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=iGXbmLNb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t7si335498edy.137.2021.01.26.19.53.26; Tue, 26 Jan 2021 19:53:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=iGXbmLNb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390285AbhAZIf1 (ORCPT + 99 others); Tue, 26 Jan 2021 03:35:27 -0500 Received: from mail.kernel.org ([198.145.29.99]:58902 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728579AbhAYSnZ (ORCPT ); Mon, 25 Jan 2021 13:43:25 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3A815224F9; Mon, 25 Jan 2021 18:42:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1611600176; bh=WZyiB/ChFtC9hDVFASICKfnVZNMXTSiEW2YrwglHarI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iGXbmLNbtSUB3Infy5U/8zCbXoLtTIa2sfn9gdq1fVA4abHGx5z4TxKEMKpIlzcuP 4u3AfiWs0cLjfvs8R9SxsJA/lT1eJE0NDzz1PeiphSX34BW9uZhXtHJDnNKf+GX23G zpxMvKNGEZmhFG+/OL36kXpnyxN/PUq12bAqKcjM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vincent Mailhol , Marc Kleine-Budde , Sasha Levin Subject: [PATCH 4.19 30/58] can: peak_usb: fix use after free bugs Date: Mon, 25 Jan 2021 19:39:31 +0100 Message-Id: <20210125183157.994272274@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210125183156.702907356@linuxfoundation.org> References: <20210125183156.702907356@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vincent Mailhol [ Upstream commit 50aca891d7a554db0901b245167cd653d73aaa71 ] After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is accessed after the peak_usb_netif_rx_ni(). Reordering the lines solves the issue. Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters") Link: https://lore.kernel.org/r/20210120114137.200019-4-mailhol.vincent@wanadoo.fr Signed-off-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin --- drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c index 19600d35aac55..40ac37fe9dcde 100644 --- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c @@ -520,11 +520,11 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if, else memcpy(cfd->data, rm->d, cfd->len); - peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low)); - netdev->stats.rx_packets++; netdev->stats.rx_bytes += cfd->len; + peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low)); + return 0; } @@ -586,11 +586,11 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if, if (!skb) return -ENOMEM; - peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low)); - netdev->stats.rx_packets++; netdev->stats.rx_bytes += cf->can_dlc; + peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low)); + return 0; } -- 2.27.0