From 004fa7cbe5ac2b59c8364bbe8fd2c004c8230b6f Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Apr 04 2022 15:56:47 +0000 Subject: can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path (CVE-2022-28390 bsc#1198031). --- diff --git a/patches.suse/can-ems_usb-ems_usb_start_xmit-fix-double-dev_kfree_.patch b/patches.suse/can-ems_usb-ems_usb_start_xmit-fix-double-dev_kfree_.patch new file mode 100644 index 0000000..f62cf0b --- /dev/null +++ b/patches.suse/can-ems_usb-ems_usb_start_xmit-fix-double-dev_kfree_.patch @@ -0,0 +1,39 @@ +From c70222752228a62135cee3409dccefd494a24646 Mon Sep 17 00:00:00 2001 +From: Hangyu Hua +Date: Mon, 28 Feb 2022 16:36:39 +0800 +Subject: [PATCH] can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path +Git-commit: c70222752228a62135cee3409dccefd494a24646 +Patch-mainline: v5.18-rc1 +References: CVE-2022-28390 bsc#1198031 + +There is no need to call dev_kfree_skb() when usb_submit_urb() fails +beacause can_put_echo_skb() deletes the original skb and +can_free_echo_skb() deletes the cloned skb. + +Link: https://lore.kernel.org/all/20220228083639.38183-1-hbh25y@gmail.com +Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") +Cc: stable@vger.kernel.org +Cc: Sebastian Haas +Signed-off-by: Hangyu Hua +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/usb/ems_usb.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c +index 7bedceffdfa3..bbec3311d893 100644 +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -819,7 +819,6 @@ static netdev_tx_t ems_usb_start_xmit(struct sk_buff *skb, struct net_device *ne + + usb_unanchor_urb(urb); + usb_free_coherent(dev->udev, size, buf, urb->transfer_dma); +- dev_kfree_skb(skb); + + atomic_dec(&dev->active_tx_urbs); + +-- +2.31.1 + diff --git a/series.conf b/series.conf index bc86ad7..c2c682d 100644 --- a/series.conf +++ b/series.conf @@ -26675,6 +26675,7 @@ patches.suse/ALSA-pcm-Fix-races-among-concurrent-read-write-and-b.patch patches.suse/ALSA-pcm-Fix-races-among-concurrent-prepare-and-hw_p.patch patches.suse/ALSA-pcm-Fix-races-among-concurrent-prealloc-proc-wr.patch + patches.suse/can-ems_usb-ems_usb_start_xmit-fix-double-dev_kfree_.patch # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch