[PATCH openEuler-1.0-LTS 2/2] can: dev: can_restart: fix use after free bug

From: Vincent Mailhol <mailhol.vincent@wanadoo.fr> stable inclusion from stable-v4.19.171 commit 08ab951787098ae0b6c0364aeea7a8138226f234 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC21UW CVE: CVE-2021-47668 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 03f16c5075b22c8902d2af739969e878b0879c94 ] After calling netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is accessed after the netif_rx_ni() in: stats->rx_bytes += cf->len; Reordering the lines solves the issue. Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") Link: https://lore.kernel.org/r/20210120114137.200019-2-mailhol.vincent@wanadoo.fr Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Sasha Levin <sashal@kernel.org> Conflicts: drivers/net/can/dev.c [File name change from commit 3e77f70e7345("can: dev: move driver related infrastructure into separate subdir"), which has merged.] Signed-off-by: Gu Bowen <gubowen5@huawei.com> --- drivers/net/can/dev/dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c index 1733f07b3b6a..1da917fde8bd 100644 --- a/drivers/net/can/dev/dev.c +++ b/drivers/net/can/dev/dev.c @@ -577,11 +577,11 @@ static void can_restart(struct net_device *dev) } cf->can_id |= CAN_ERR_RESTARTED; - netif_rx_ni(skb); - stats->rx_packets++; stats->rx_bytes += cf->can_dlc; + netif_rx_ni(skb); + restart: netdev_dbg(dev, "restarted\n"); priv->can_stats.restarts++; -- 2.25.1