releases/4.14.139/can-peak_usb-fix-potential-double-kfree_skb.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From fee6a8923ae0d318a7f7950c6c6c28a96cea099b Mon Sep 17 00:00:00 2001
 From: Stephane Grosjean <s.grosjean@peak-system.com>
 Date: Fri, 5 Jul 2019 15:32:16 +0200
 Subject: can: peak_usb: fix potential double kfree_skb()

 From: Stephane Grosjean <s.grosjean@peak-system.com>

 commit fee6a8923ae0d318a7f7950c6c6c28a96cea099b upstream.

 When closing the CAN device while tx skbs are inflight, echo skb could
 be released twice. By calling close_candev() before unlinking all
 pending tx urbs, then the internal echo_skb[] array is fully and
 correctly cleared before the USB write callback and, therefore,
 can_get_echo_skb() are called, for each aborted URB.

 Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core")
 Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
 Cc: linux-stable <stable@vger.kernel.org>
 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/net/can/usb/peak_usb/pcan_usb_core.c |    8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

 --- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
 +++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
 @@ -594,16 +594,16 @@ static int peak_usb_ndo_stop(struct net_
  	dev->state &= ~PCAN_USB_STATE_STARTED;
  	netif_stop_queue(netdev);

 +	close_candev(netdev);
 +
 +	dev->can.state = CAN_STATE_STOPPED;
 +
  	/* unlink all pending urbs and free used memory */
  	peak_usb_unlink_all_urbs(dev);

  	if (dev->adapter->dev_stop)
  		dev->adapter->dev_stop(dev);

 -	close_candev(netdev);
 -
 -	dev->can.state = CAN_STATE_STOPPED;
 -
  	/* can set bus off now */
  	if (dev->adapter->dev_set_bus) {
  		int err = dev->adapter->dev_set_bus(dev, 0);
	From fee6a8923ae0d318a7f7950c6c6c28a96cea099b Mon Sep 17 00:00:00 2001
	From: Stephane Grosjean <s.grosjean@peak-system.com>
	Date: Fri, 5 Jul 2019 15:32:16 +0200
	Subject: can: peak_usb: fix potential double kfree_skb()

	From: Stephane Grosjean <s.grosjean@peak-system.com>

	commit fee6a8923ae0d318a7f7950c6c6c28a96cea099b upstream.

	When closing the CAN device while tx skbs are inflight, echo skb could
	be released twice. By calling close_candev() before unlinking all
	pending tx urbs, then the internal echo_skb[] array is fully and
	correctly cleared before the USB write callback and, therefore,
	can_get_echo_skb() are called, for each aborted URB.

	Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core")
	Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
	Cc: linux-stable <stable@vger.kernel.org>
	Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/net/can/usb/peak_usb/pcan_usb_core.c \| 8 ++++----
	1 file changed, 4 insertions(+), 4 deletions(-)

	--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
	+++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
	@@ -594,16 +594,16 @@ static int peak_usb_ndo_stop(struct net_
	dev->state &= ~PCAN_USB_STATE_STARTED;
	netif_stop_queue(netdev);

	+ close_candev(netdev);
	+
	+ dev->can.state = CAN_STATE_STOPPED;
	+
	/* unlink all pending urbs and free used memory */
	peak_usb_unlink_all_urbs(dev);

	if (dev->adapter->dev_stop)
	dev->adapter->dev_stop(dev);

	- close_candev(netdev);
	-
	- dev->can.state = CAN_STATE_STOPPED;
	-
	/* can set bus off now */
	if (dev->adapter->dev_set_bus) {
	int err = dev->adapter->dev_set_bus(dev, 0);