* pull-request: can 2015-07-15
@ 2015-07-15 7:09 Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 01/12] can: at91_can: don't touch skb after netif_receive_skb()/netif_rx() Marc Kleine-Budde
` (12 more replies)
0 siblings, 13 replies; 14+ messages in thread
From: Marc Kleine-Budde @ 2015-07-15 7:09 UTC (permalink / raw
To: netdev; +Cc: davem, linux-can, kernel
Hello David,
this is a pull request of 12 patches by me.
This series fixes the use of the skb after netif_receive_skb() / netif_rx()
which exists in several drivers.
Marc
---
The following changes since commit 50c2e4dd6749725338621fff456b26d3a592259f:
net/xen-netback: off by one in BUG_ON() condition (2015-07-14 15:40:52 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can.git tags/linux-can-fixes-for-4.2-20150715
for you to fetch changes up to 1c0ee046957648106b415df79038e4e62b144c19:
can: pcan_usb: don't touch skb after netif_rx() (2015-07-15 09:04:28 +0200)
----------------------------------------------------------------
linux-can-fixes-for-4.2-20150715
----------------------------------------------------------------
Marc Kleine-Budde (12):
can: at91_can: don't touch skb after netif_receive_skb()/netif_rx()
can: flexcan: don't touch skb after netif_receive_skb()
can: bfin_can: don't touch skb after netif_rx()
can: grcan: don't touch skb after netif_rx()
can: slcan: don't touch skb after netif_rx_ni()
can: ti_heccn: don't touch skb after netif_rx()
can: cc770: don't touch skb after netif_rx()
can: sja1000: don't touch skb after netif_rx()
can: esd_usb2: don't touch skb after netif_rx()
can: ems_usb: don't touch skb after netif_rx()
can: usb_8dev: don't touch skb after netif_rx()
can: pcan_usb: don't touch skb after netif_rx()
drivers/net/can/at91_can.c | 8 ++++----
drivers/net/can/bfin_can.c | 6 ++----
drivers/net/can/cc770/cc770.c | 4 ++--
drivers/net/can/flexcan.c | 7 +++----
drivers/net/can/grcan.c | 3 ++-
drivers/net/can/sja1000/sja1000.c | 6 ++----
drivers/net/can/slcan.c | 2 +-
drivers/net/can/ti_hecc.c | 2 +-
drivers/net/can/usb/ems_usb.c | 6 ++----
drivers/net/can/usb/esd_usb2.c | 6 ++----
drivers/net/can/usb/peak_usb/pcan_usb.c | 7 +++----
drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 4 ++--
drivers/net/can/usb/usb_8dev.c | 6 ++----
13 files changed, 28 insertions(+), 39 deletions(-)
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 01/12] can: at91_can: don't touch skb after netif_receive_skb()/netif_rx()
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
@ 2015-07-15 7:09 ` Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 02/12] can: flexcan: don't touch skb after netif_receive_skb() Marc Kleine-Budde
` (11 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Marc Kleine-Budde @ 2015-07-15 7:09 UTC (permalink / raw
To: netdev; +Cc: davem, linux-can, kernel, Marc Kleine-Budde
There is no guarantee that the skb is in the same state after calling
net_receive_skb() or netif_rx(). It might be freed or reused. Not really
harmful as its a read access, except you turn on the proper debugging options
which catch a use after free.
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/at91_can.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/can/at91_can.c b/drivers/net/can/at91_can.c
index f4e40aa4d2a2..945c0955a967 100644
--- a/drivers/net/can/at91_can.c
+++ b/drivers/net/can/at91_can.c
@@ -577,10 +577,10 @@ static void at91_rx_overflow_err(struct net_device *dev)
cf->can_id |= CAN_ERR_CRTL;
cf->data[1] = CAN_ERR_CRTL_RX_OVERFLOW;
- netif_receive_skb(skb);
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_receive_skb(skb);
}
/**
@@ -642,10 +642,10 @@ static void at91_read_msg(struct net_device *dev, unsigned int mb)
}
at91_read_mb(dev, mb, cf);
- netif_receive_skb(skb);
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_receive_skb(skb);
can_led_event(dev, CAN_LED_EVENT_RX);
}
@@ -802,10 +802,10 @@ static int at91_poll_err(struct net_device *dev, int quota, u32 reg_sr)
return 0;
at91_poll_err_frame(dev, cf, reg_sr);
- netif_receive_skb(skb);
dev->stats.rx_packets++;
dev->stats.rx_bytes += cf->can_dlc;
+ netif_receive_skb(skb);
return 1;
}
@@ -1067,10 +1067,10 @@ static void at91_irq_err(struct net_device *dev)
return;
at91_irq_err_state(dev, cf, new_state);
- netif_rx(skb);
dev->stats.rx_packets++;
dev->stats.rx_bytes += cf->can_dlc;
+ netif_rx(skb);
priv->can.state = new_state;
}
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 02/12] can: flexcan: don't touch skb after netif_receive_skb()
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 01/12] can: at91_can: don't touch skb after netif_receive_skb()/netif_rx() Marc Kleine-Budde
@ 2015-07-15 7:09 ` Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 03/12] can: bfin_can: don't touch skb after netif_rx() Marc Kleine-Budde
` (10 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Marc Kleine-Budde @ 2015-07-15 7:09 UTC (permalink / raw
To: netdev; +Cc: davem, linux-can, kernel, Marc Kleine-Budde
There is no guarantee that the skb is in the same state after calling
net_receive_skb() or netif_rx(). It might be freed or reused. Not really
harmful as its a read access, except you turn on the proper debugging options
which catch a use after free.
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/flexcan.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
index 6201c5a1a884..b1e8d729851c 100644
--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -577,10 +577,10 @@ static int flexcan_poll_bus_err(struct net_device *dev, u32 reg_esr)
return 0;
do_bus_err(dev, cf, reg_esr);
- netif_receive_skb(skb);
dev->stats.rx_packets++;
dev->stats.rx_bytes += cf->can_dlc;
+ netif_receive_skb(skb);
return 1;
}
@@ -622,10 +622,9 @@ static int flexcan_poll_state(struct net_device *dev, u32 reg_esr)
if (unlikely(new_state == CAN_STATE_BUS_OFF))
can_bus_off(dev);
- netif_receive_skb(skb);
-
dev->stats.rx_packets++;
dev->stats.rx_bytes += cf->can_dlc;
+ netif_receive_skb(skb);
return 1;
}
@@ -670,10 +669,10 @@ static int flexcan_read_frame(struct net_device *dev)
}
flexcan_read_fifo(dev, cf);
- netif_receive_skb(skb);
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_receive_skb(skb);
can_led_event(dev, CAN_LED_EVENT_RX);
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 03/12] can: bfin_can: don't touch skb after netif_rx()
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 01/12] can: at91_can: don't touch skb after netif_receive_skb()/netif_rx() Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 02/12] can: flexcan: don't touch skb after netif_receive_skb() Marc Kleine-Budde
@ 2015-07-15 7:09 ` Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 04/12] can: grcan: " Marc Kleine-Budde
` (9 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Marc Kleine-Budde @ 2015-07-15 7:09 UTC (permalink / raw
To: netdev; +Cc: davem, linux-can, kernel, Marc Kleine-Budde, Aaron Wu
There is no guarantee that the skb is in the same state after calling
net_receive_skb() or netif_rx(). It might be freed or reused. Not really
harmful as its a read access, except you turn on the proper debugging options
which catch a use after free.
Cc: Aaron Wu <Aaron.wu@analog.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/bfin_can.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/can/bfin_can.c b/drivers/net/can/bfin_can.c
index 27ad312e7abf..57dadd52b428 100644
--- a/drivers/net/can/bfin_can.c
+++ b/drivers/net/can/bfin_can.c
@@ -424,10 +424,9 @@ static void bfin_can_rx(struct net_device *dev, u16 isrc)
cf->data[6 - i] = (6 - i) < cf->can_dlc ? (val >> 8) : 0;
}
- netif_rx(skb);
-
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_rx(skb);
}
static int bfin_can_err(struct net_device *dev, u16 isrc, u16 status)
@@ -508,10 +507,9 @@ static int bfin_can_err(struct net_device *dev, u16 isrc, u16 status)
priv->can.state = state;
- netif_rx(skb);
-
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_rx(skb);
return 0;
}
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 04/12] can: grcan: don't touch skb after netif_rx()
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
` (2 preceding siblings ...)
2015-07-15 7:09 ` [PATCH 03/12] can: bfin_can: don't touch skb after netif_rx() Marc Kleine-Budde
@ 2015-07-15 7:09 ` Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 05/12] can: slcan: don't touch skb after netif_rx_ni() Marc Kleine-Budde
` (8 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Marc Kleine-Budde @ 2015-07-15 7:09 UTC (permalink / raw
To: netdev; +Cc: davem, linux-can, kernel, Marc Kleine-Budde, Andreas Larsson
There is no guarantee that the skb is in the same state after calling
net_receive_skb() or netif_rx(). It might be freed or reused. Not really
harmful as its a read access, except you turn on the proper debugging options
which catch a use after free.
Cc: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/grcan.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/grcan.c b/drivers/net/can/grcan.c
index e3d7e22a4fa0..db9538d4b358 100644
--- a/drivers/net/can/grcan.c
+++ b/drivers/net/can/grcan.c
@@ -1216,11 +1216,12 @@ static int grcan_receive(struct net_device *dev, int budget)
cf->data[i] = (u8)(slot[j] >> shift);
}
}
- netif_receive_skb(skb);
/* Update statistics and read pointer */
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_receive_skb(skb);
+
rd = grcan_ring_add(rd, GRCAN_MSG_SIZE, dma->rx.size);
}
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 05/12] can: slcan: don't touch skb after netif_rx_ni()
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
` (3 preceding siblings ...)
2015-07-15 7:09 ` [PATCH 04/12] can: grcan: " Marc Kleine-Budde
@ 2015-07-15 7:09 ` Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 06/12] can: ti_heccn: don't touch skb after netif_rx() Marc Kleine-Budde
` (7 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Marc Kleine-Budde @ 2015-07-15 7:09 UTC (permalink / raw
To: netdev; +Cc: davem, linux-can, kernel, Marc Kleine-Budde, Oliver Hartkopp
There is no guarantee that the skb is in the same state after calling
net_receive_skb() or netif_rx(). It might be freed or reused. Not really
harmful as its a read access, except you turn on the proper debugging options
which catch a use after free.
Cc: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/slcan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c
index a23a7af8eb9a..9a3f15cb7ef4 100644
--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -218,10 +218,10 @@ static void slc_bump(struct slcan *sl)
memcpy(skb_put(skb, sizeof(struct can_frame)),
&cf, sizeof(struct can_frame));
- netif_rx_ni(skb);
sl->dev->stats.rx_packets++;
sl->dev->stats.rx_bytes += cf.can_dlc;
+ netif_rx_ni(skb);
}
/* parse tty input stream */
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 06/12] can: ti_heccn: don't touch skb after netif_rx()
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
` (4 preceding siblings ...)
2015-07-15 7:09 ` [PATCH 05/12] can: slcan: don't touch skb after netif_rx_ni() Marc Kleine-Budde
@ 2015-07-15 7:09 ` Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 07/12] can: cc770: " Marc Kleine-Budde
` (6 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Marc Kleine-Budde @ 2015-07-15 7:09 UTC (permalink / raw
To: netdev; +Cc: davem, linux-can, kernel, Marc Kleine-Budde, Anant Gole
There is no guarantee that the skb is in the same state after calling
net_receive_skb() or netif_rx(). It might be freed or reused. Not really
harmful as its a read access, except you turn on the proper debugging options
which catch a use after free.
Cc: Anant Gole <anantgole@ti.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/ti_hecc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c
index e95a9e1a889f..cf345cbfe819 100644
--- a/drivers/net/can/ti_hecc.c
+++ b/drivers/net/can/ti_hecc.c
@@ -747,9 +747,9 @@ static int ti_hecc_error(struct net_device *ndev, int int_status,
}
}
- netif_rx(skb);
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_rx(skb);
return 0;
}
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 07/12] can: cc770: don't touch skb after netif_rx()
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
` (5 preceding siblings ...)
2015-07-15 7:09 ` [PATCH 06/12] can: ti_heccn: don't touch skb after netif_rx() Marc Kleine-Budde
@ 2015-07-15 7:09 ` Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 08/12] can: sja1000: " Marc Kleine-Budde
` (5 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Marc Kleine-Budde @ 2015-07-15 7:09 UTC (permalink / raw
To: netdev; +Cc: davem, linux-can, kernel, Marc Kleine-Budde, Wolfgang Grandegger
There is no guarantee that the skb is in the same state after calling
net_receive_skb() or netif_rx(). It might be freed or reused. Not really
harmful as its a read access, except you turn on the proper debugging options
which catch a use after free.
Cc: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/cc770/cc770.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/can/cc770/cc770.c b/drivers/net/can/cc770/cc770.c
index c11d44984036..70a8cbb29e75 100644
--- a/drivers/net/can/cc770/cc770.c
+++ b/drivers/net/can/cc770/cc770.c
@@ -504,10 +504,10 @@ static void cc770_rx(struct net_device *dev, unsigned int mo, u8 ctrl1)
for (i = 0; i < cf->can_dlc; i++)
cf->data[i] = cc770_read_reg(priv, msgobj[mo].data[i]);
}
- netif_rx(skb);
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_rx(skb);
}
static int cc770_err(struct net_device *dev, u8 status)
@@ -584,10 +584,10 @@ static int cc770_err(struct net_device *dev, u8 status)
}
}
- netif_rx(skb);
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_rx(skb);
return 0;
}
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 08/12] can: sja1000: don't touch skb after netif_rx()
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
` (6 preceding siblings ...)
2015-07-15 7:09 ` [PATCH 07/12] can: cc770: " Marc Kleine-Budde
@ 2015-07-15 7:09 ` Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 09/12] can: esd_usb2: " Marc Kleine-Budde
` (4 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Marc Kleine-Budde @ 2015-07-15 7:09 UTC (permalink / raw
To: netdev
Cc: davem, linux-can, kernel, Marc Kleine-Budde, Wolfgang Grandegger,
Oliver Hartkopp
There is no guarantee that the skb is in the same state after calling
net_receive_skb() or netif_rx(). It might be freed or reused. Not really
harmful as its a read access, except you turn on the proper debugging options
which catch a use after free.
Cc: Wolfgang Grandegger <wg@grandegger.com>
Cc: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/sja1000/sja1000.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c
index 32bd7f451aa4..7b92e911a616 100644
--- a/drivers/net/can/sja1000/sja1000.c
+++ b/drivers/net/can/sja1000/sja1000.c
@@ -377,10 +377,9 @@ static void sja1000_rx(struct net_device *dev)
/* release receive buffer */
sja1000_write_cmdreg(priv, CMD_RRB);
- netif_rx(skb);
-
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_rx(skb);
can_led_event(dev, CAN_LED_EVENT_RX);
}
@@ -484,10 +483,9 @@ static int sja1000_err(struct net_device *dev, uint8_t isrc, uint8_t status)
can_bus_off(dev);
}
- netif_rx(skb);
-
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_rx(skb);
return 0;
}
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 09/12] can: esd_usb2: don't touch skb after netif_rx()
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
` (7 preceding siblings ...)
2015-07-15 7:09 ` [PATCH 08/12] can: sja1000: " Marc Kleine-Budde
@ 2015-07-15 7:09 ` Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 10/12] can: ems_usb: " Marc Kleine-Budde
` (3 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Marc Kleine-Budde @ 2015-07-15 7:09 UTC (permalink / raw
To: netdev; +Cc: davem, linux-can, kernel, Marc Kleine-Budde, Thomas Körper
There is no guarantee that the skb is in the same state after calling
net_receive_skb() or netif_rx(). It might be freed or reused. Not really
harmful as its a read access, except you turn on the proper debugging options
which catch a use after free.
Cc: Thomas Körper <thomas.koerper@esd.eu>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/usb/esd_usb2.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c
index 411c1af92c62..0e5a4493ba4f 100644
--- a/drivers/net/can/usb/esd_usb2.c
+++ b/drivers/net/can/usb/esd_usb2.c
@@ -301,13 +301,12 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv,
cf->data[7] = rxerr;
}
- netif_rx(skb);
-
priv->bec.txerr = txerr;
priv->bec.rxerr = rxerr;
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_rx(skb);
}
}
@@ -347,10 +346,9 @@ static void esd_usb2_rx_can_msg(struct esd_usb2_net_priv *priv,
cf->data[i] = msg->msg.rx.data[i];
}
- netif_rx(skb);
-
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_rx(skb);
}
return;
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 10/12] can: ems_usb: don't touch skb after netif_rx()
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
` (8 preceding siblings ...)
2015-07-15 7:09 ` [PATCH 09/12] can: esd_usb2: " Marc Kleine-Budde
@ 2015-07-15 7:09 ` Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 11/12] can: usb_8dev: " Marc Kleine-Budde
` (2 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Marc Kleine-Budde @ 2015-07-15 7:09 UTC (permalink / raw
To: netdev; +Cc: davem, linux-can, kernel, Marc Kleine-Budde, Gerhard Uttenthaler
There is no guarantee that the skb is in the same state after calling
net_receive_skb() or netif_rx(). It might be freed or reused. Not really
harmful as its a read access, except you turn on the proper debugging options
which catch a use after free.
Cc: Gerhard Uttenthaler <uttenthaler@ems-wuensche.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/usb/ems_usb.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c
index 866bac0ae7e9..2d390384ef3b 100644
--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -324,10 +324,9 @@ static void ems_usb_rx_can_msg(struct ems_usb *dev, struct ems_cpc_msg *msg)
cf->data[i] = msg->msg.can_msg.msg[i];
}
- netif_rx(skb);
-
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_rx(skb);
}
static void ems_usb_rx_err(struct ems_usb *dev, struct ems_cpc_msg *msg)
@@ -400,10 +399,9 @@ static void ems_usb_rx_err(struct ems_usb *dev, struct ems_cpc_msg *msg)
stats->rx_errors++;
}
- netif_rx(skb);
-
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_rx(skb);
}
/*
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 11/12] can: usb_8dev: don't touch skb after netif_rx()
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
` (9 preceding siblings ...)
2015-07-15 7:09 ` [PATCH 10/12] can: ems_usb: " Marc Kleine-Budde
@ 2015-07-15 7:09 ` Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 12/12] can: pcan_usb: " Marc Kleine-Budde
2015-07-16 0:27 ` pull-request: can 2015-07-15 David Miller
12 siblings, 0 replies; 14+ messages in thread
From: Marc Kleine-Budde @ 2015-07-15 7:09 UTC (permalink / raw
To: netdev; +Cc: davem, linux-can, kernel, Marc Kleine-Budde, Bernd Krumboeck
There is no guarantee that the skb is in the same state after calling
net_receive_skb() or netif_rx(). It might be freed or reused. Not really
harmful as its a read access, except you turn on the proper debugging options
which catch a use after free.
Cc: Bernd Krumboeck <b.krumboeck@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/usb/usb_8dev.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c
index dd52c7a4c80d..de95b1ccba3e 100644
--- a/drivers/net/can/usb/usb_8dev.c
+++ b/drivers/net/can/usb/usb_8dev.c
@@ -461,10 +461,9 @@ static void usb_8dev_rx_err_msg(struct usb_8dev_priv *priv,
priv->bec.txerr = txerr;
priv->bec.rxerr = rxerr;
- netif_rx(skb);
-
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_rx(skb);
}
/* Read data and status frames */
@@ -494,10 +493,9 @@ static void usb_8dev_rx_can_msg(struct usb_8dev_priv *priv,
else
memcpy(cf->data, msg->data, cf->can_dlc);
- netif_rx(skb);
-
stats->rx_packets++;
stats->rx_bytes += cf->can_dlc;
+ netif_rx(skb);
can_led_event(priv->netdev, CAN_LED_EVENT_RX);
} else {
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 12/12] can: pcan_usb: don't touch skb after netif_rx()
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
` (10 preceding siblings ...)
2015-07-15 7:09 ` [PATCH 11/12] can: usb_8dev: " Marc Kleine-Budde
@ 2015-07-15 7:09 ` Marc Kleine-Budde
2015-07-16 0:27 ` pull-request: can 2015-07-15 David Miller
12 siblings, 0 replies; 14+ messages in thread
From: Marc Kleine-Budde @ 2015-07-15 7:09 UTC (permalink / raw
To: netdev; +Cc: davem, linux-can, kernel, Marc Kleine-Budde, Stephane Grosjean
There is no guarantee that the skb is in the same state after calling
net_receive_skb() or netif_rx(). It might be freed or reused. Not really
harmful as its a read access, except you turn on the proper debugging options
which catch a use after free.
Cc: Stephane Grosjean <s.grosjean@peak-system.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/usb/peak_usb/pcan_usb.c | 7 +++----
drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 4 ++--
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/net/can/usb/peak_usb/pcan_usb.c b/drivers/net/can/usb/peak_usb/pcan_usb.c
index 72427f21edff..6b94007ae052 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb.c
@@ -526,9 +526,9 @@ static int pcan_usb_decode_error(struct pcan_usb_msg_context *mc, u8 n,
hwts->hwtstamp = timeval_to_ktime(tv);
}
- netif_rx(skb);
mc->netdev->stats.rx_packets++;
mc->netdev->stats.rx_bytes += cf->can_dlc;
+ netif_rx(skb);
return 0;
}
@@ -659,12 +659,11 @@ static int pcan_usb_decode_data(struct pcan_usb_msg_context *mc, u8 status_len)
hwts = skb_hwtstamps(skb);
hwts->hwtstamp = timeval_to_ktime(tv);
- /* push the skb */
- netif_rx(skb);
-
/* update statistics */
mc->netdev->stats.rx_packets++;
mc->netdev->stats.rx_bytes += cf->can_dlc;
+ /* push the skb */
+ netif_rx(skb);
return 0;
diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
index dec51717635e..7d61b3279798 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
@@ -553,9 +553,9 @@ static int pcan_usb_pro_handle_canmsg(struct pcan_usb_pro_interface *usb_if,
hwts = skb_hwtstamps(skb);
hwts->hwtstamp = timeval_to_ktime(tv);
- netif_rx(skb);
netdev->stats.rx_packets++;
netdev->stats.rx_bytes += can_frame->can_dlc;
+ netif_rx(skb);
return 0;
}
@@ -670,9 +670,9 @@ static int pcan_usb_pro_handle_error(struct pcan_usb_pro_interface *usb_if,
peak_usb_get_ts_tv(&usb_if->time_ref, le32_to_cpu(er->ts32), &tv);
hwts = skb_hwtstamps(skb);
hwts->hwtstamp = timeval_to_ktime(tv);
- netif_rx(skb);
netdev->stats.rx_packets++;
netdev->stats.rx_bytes += can_frame->can_dlc;
+ netif_rx(skb);
return 0;
}
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: pull-request: can 2015-07-15
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
` (11 preceding siblings ...)
2015-07-15 7:09 ` [PATCH 12/12] can: pcan_usb: " Marc Kleine-Budde
@ 2015-07-16 0:27 ` David Miller
12 siblings, 0 replies; 14+ messages in thread
From: David Miller @ 2015-07-16 0:27 UTC (permalink / raw
To: mkl; +Cc: netdev, linux-can, kernel
From: Marc Kleine-Budde <mkl@pengutronix.de>
Date: Wed, 15 Jul 2015 09:09:37 +0200
> this is a pull request of 12 patches by me.
>
> This series fixes the use of the skb after netif_receive_skb() /
> netif_rx() which exists in several drivers.
Pulled, thanks Marc.
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2015-07-16 0:27 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-07-15 7:09 pull-request: can 2015-07-15 Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 01/12] can: at91_can: don't touch skb after netif_receive_skb()/netif_rx() Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 02/12] can: flexcan: don't touch skb after netif_receive_skb() Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 03/12] can: bfin_can: don't touch skb after netif_rx() Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 04/12] can: grcan: " Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 05/12] can: slcan: don't touch skb after netif_rx_ni() Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 06/12] can: ti_heccn: don't touch skb after netif_rx() Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 07/12] can: cc770: " Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 08/12] can: sja1000: " Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 09/12] can: esd_usb2: " Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 10/12] can: ems_usb: " Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 11/12] can: usb_8dev: " Marc Kleine-Budde
2015-07-15 7:09 ` [PATCH 12/12] can: pcan_usb: " Marc Kleine-Budde
2015-07-16 0:27 ` pull-request: can 2015-07-15 David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).