From 04ed880706fc9fdd6ecd284de47a40c40a091b84 Mon Sep 17 00:00:00 2001
From: Stefan Kratochwil <stefan.kratochwil@cetitec.com>
Date: Tue, 7 Nov 2017 11:48:16 +0100
Subject: [PATCH] Fixed NULL ptr deref in enqueue_to_backlog().
This function may be called from within an interrupt context, e.g. when
putting a CAN interface down while transmitting data. While free_skb()
is not interrupt safe, dev_free_skb_any() is.
See https://marc.info/?l=linux-netdev&m=150996705622284&w=2 for more
details.
Signed-off-by: Stefan Kratochwil <stefan.kratochwil@cetitec.com>
---
net/core/dev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
@@ -3886,7 +3886,9 @@ static int enqueue_to_backlog(struct sk_buff *skb, int cpu,
local_irq_restore(flags);
atomic_long_inc(&skb->dev->rx_dropped);
- kfree_skb(skb);
+
+ /* We may have been called from within an IRQ context. */
+ dev_kfree_skb_any(skb);
return NET_RX_DROP;
}
--
2.15.0