]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit
projects / mirror_ubuntu-jammy-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ccea9cf) | patch
can: pch_can: pch_can_rx_normal: fix use after free
authorVincent Mailhol <mailhol.vincent@wanadoo.fr>
Tue, 23 Nov 2021 11:16:54 +0000 (20:16 +0900)
committerAndrea Righi <andrea.righi@canonical.com>
Tue, 4 Jan 2022 08:49:14 +0000 (09:49 +0100)
commit248634d2d5b6e04e0077d57d59ca94760c6adca9
tree60dd20e60f3605e318adefdfa25dce3082bd6232tree
parentccea9cfb6dfeafcda6c298d398976628c15398d2commit | diff
can: pch_can: pch_can_rx_normal: fix use after free

BugLink: https://bugs.launchpad.net/bugs/1954931
commit 94cddf1e9227a171b27292509d59691819c458db upstream.

After calling netif_receive_skb(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is dereferenced
just after the call netif_receive_skb(skb).

Reordering the lines solves the issue.

Fixes: b21d18b51b31 ("can: Topcliff: Add PCH_CAN driver.")
Link: https://lore.kernel.org/all/20211123111654.621610-1-mailhol.vincent@wanadoo.fr
Cc: stable@vger.kernel.org
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
drivers/net/can/pch_can.c diff | blob | blame | history
Ubuntu Jammy Linux kernel mirror