From 04ed880706fc9fdd6ecd284de47a40c40a091b84 Mon Sep 17 00:00:00 2001
From: Stefan Kratochwil <stefan.kratochwil@cetitec.com>
Date: Tue, 7 Nov 2017 11:48:16 +0100
Subject: [PATCH] Fixed NULL ptr deref in enqueue_to_backlog().

This function may be called from within an interrupt context, e.g. when
putting a CAN interface down while transmitting data. While free_skb()
is not interrupt safe, dev_free_skb_any() is.

See https://marc.info/?l=linux-netdev&m=150996705622284&w=2 for more
details.

Signed-off-by: Stefan Kratochwil <stefan.kratochwil@cetitec.com>
---
 net/core/dev.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index 30b5fe32c525..6c3a5f1f72a8 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3886,7 +3886,9 @@ static int enqueue_to_backlog(struct sk_buff *skb, int cpu,
 	local_irq_restore(flags);
 
 	atomic_long_inc(&skb->dev->rx_dropped);
-	kfree_skb(skb);
+
+	/* We may have been called from within an IRQ context. */
+	dev_kfree_skb_any(skb);
 	return NET_RX_DROP;
 }
 
-- 
2.15.0