From 04ed880706fc9fdd6ecd284de47a40c40a091b84 Mon Sep 17 00:00:00 2001 From: Stefan Kratochwil Date: Tue, 7 Nov 2017 11:48:16 +0100 Subject: [PATCH] Fixed NULL ptr deref in enqueue_to_backlog(). This function may be called from within an interrupt context, e.g. when putting a CAN interface down while transmitting data. While free_skb() is not interrupt safe, dev_free_skb_any() is. See https://marc.info/?l=linux-netdev&m=150996705622284&w=2 for more details. Signed-off-by: Stefan Kratochwil --- net/core/dev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/dev.c b/net/core/dev.c index 30b5fe32c525..6c3a5f1f72a8 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -3886,7 +3886,9 @@ static int enqueue_to_backlog(struct sk_buff *skb, int cpu, local_irq_restore(flags); atomic_long_inc(&skb->dev->rx_dropped); - kfree_skb(skb); + + /* We may have been called from within an IRQ context. */ + dev_kfree_skb_any(skb); return NET_RX_DROP; } -- 2.15.0