From patchwork Wed Jul 15 07:09:46 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Marc Kleine-Budde X-Patchwork-Id: 495460 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3499B1401EF for ; Wed, 15 Jul 2015 17:10:31 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752623AbbGOHKZ (ORCPT ); Wed, 15 Jul 2015 03:10:25 -0400 Received: from metis.ext.pengutronix.de ([92.198.50.35]:35999 "EHLO metis.ext.pengutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752177AbbGOHKA (ORCPT ); Wed, 15 Jul 2015 03:10:00 -0400 Received: from gallifrey.ext.pengutronix.de ([2001:67c:670:201:5054:ff:fe8d:eefb] helo=hardanger.blackshift.org) by metis.ext.pengutronix.de with esmtp (Exim 4.80) (envelope-from ) id 1ZFExX-0004f9-W5; Wed, 15 Jul 2015 07:10:20 +0200 From: Marc Kleine-Budde To: netdev@vger.kernel.org Cc: davem@davemloft.net, linux-can@vger.kernel.org, kernel@pengutronix.de, Marc Kleine-Budde , =?UTF-8?q?Thomas=20K=C3=B6rper?= Subject: [PATCH 09/12] can: esd_usb2: don't touch skb after netif_rx() Date: Wed, 15 Jul 2015 09:09:46 +0200 Message-Id: <1436944189-26618-10-git-send-email-mkl@pengutronix.de> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1436944189-26618-1-git-send-email-mkl@pengutronix.de> References: <1436944189-26618-1-git-send-email-mkl@pengutronix.de> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:67c:670:201:5054:ff:fe8d:eefb X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: netdev@vger.kernel.org Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org There is no guarantee that the skb is in the same state after calling net_receive_skb() or netif_rx(). It might be freed or reused. Not really harmful as its a read access, except you turn on the proper debugging options which catch a use after free. Cc: Thomas Körper Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/esd_usb2.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c index 411c1af92c62..0e5a4493ba4f 100644 --- a/drivers/net/can/usb/esd_usb2.c +++ b/drivers/net/can/usb/esd_usb2.c @@ -301,13 +301,12 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv, cf->data[7] = rxerr; } - netif_rx(skb); - priv->bec.txerr = txerr; priv->bec.rxerr = rxerr; stats->rx_packets++; stats->rx_bytes += cf->can_dlc; + netif_rx(skb); } } @@ -347,10 +346,9 @@ static void esd_usb2_rx_can_msg(struct esd_usb2_net_priv *priv, cf->data[i] = msg->msg.rx.data[i]; } - netif_rx(skb); - stats->rx_packets++; stats->rx_bytes += cf->can_dlc; + netif_rx(skb); } return;