From b04a0968e9e67e1b52aa44c8bb6b6725fe3bac46 Mon Sep 17 00:00:00 2001 From: Alejandro Concepcion Rodriguez Date: Tue, 29 Apr 2025 11:45:08 +0800 Subject: [PATCH 1/2] can: dev: can_restart(): post buffer from the right context stable inclusion from stable-v4.19.160 commit cef79b5249ea3bf7889f222999a3bcbc560d9a41 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC21UW CVE: CVE-2021-47668 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=cef79b5249ea3bf7889f222999a3bcbc560d9a41 -------------------------------- [ Upstream commit a1e654070a60d5d4f7cce59c38f4ca790bb79121 ] netif_rx() is meant to be called from interrupt contexts. can_restart() may be called by can_restart_work(), which is called from a worqueue, so it may run in process context. Use netif_rx_ni() instead. Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") Co-developed-by: Loris Fauster Signed-off-by: Loris Fauster Signed-off-by: Alejandro Concepcion Rodriguez Link: https://lore.kernel.org/r/4e84162b-fb31-3a73-fa9a-9438b4bd5234@acoro.eu [mkl: use netif_rx_ni() instead of netif_rx_any_context()] Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin Conflicts: drivers/net/can/dev.c [File name change from commit 3e77f70e7345("can: dev: move driver related infrastructure into separate subdir"), which has merged.] Signed-off-by: Gu Bowen --- drivers/net/can/dev/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c index dde22c626b5c..7544a03f0626 100644 --- a/drivers/net/can/dev/dev.c +++ b/drivers/net/can/dev/dev.c @@ -581,7 +581,7 @@ static void can_restart(struct net_device *dev) } cf->can_id |= CAN_ERR_RESTARTED; - netif_rx(skb); + netif_rx_ni(skb); stats->rx_packets++; stats->rx_bytes += cf->can_dlc; -- Gitee From cd13d53f94bdecf144e59ab564fd46632eef01f8 Mon Sep 17 00:00:00 2001 From: Vincent Mailhol Date: Tue, 29 Apr 2025 11:45:09 +0800 Subject: [PATCH 2/2] can: dev: can_restart: fix use after free bug stable inclusion from stable-v4.19.171 commit 08ab951787098ae0b6c0364aeea7a8138226f234 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC21UW CVE: CVE-2021-47668 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=08ab951787098ae0b6c0364aeea7a8138226f234 -------------------------------- [ Upstream commit 03f16c5075b22c8902d2af739969e878b0879c94 ] After calling netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is accessed after the netif_rx_ni() in: stats->rx_bytes += cf->len; Reordering the lines solves the issue. Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") Link: https://lore.kernel.org/r/20210120114137.200019-2-mailhol.vincent@wanadoo.fr Signed-off-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin Conflicts: drivers/net/can/dev.c [File name change from commit 3e77f70e7345("can: dev: move driver related infrastructure into separate subdir"), which has merged.] Signed-off-by: Gu Bowen --- drivers/net/can/dev/dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c index 7544a03f0626..f64ea4b9ced2 100644 --- a/drivers/net/can/dev/dev.c +++ b/drivers/net/can/dev/dev.c @@ -581,11 +581,11 @@ static void can_restart(struct net_device *dev) } cf->can_id |= CAN_ERR_RESTARTED; - netif_rx_ni(skb); - stats->rx_packets++; stats->rx_bytes += cf->can_dlc; + netif_rx_ni(skb); + restart: netdev_dbg(dev, "restarted\n"); priv->can_stats.restarts++; -- Gitee