can: dev: can_restart: fix use after free bug

After calling netif_rx_ni(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is accessed
after the netif_rx_ni() in:
      stats->rx_bytes += cf->len;

Reordering the lines solves the issue.

Fixes: 39549ee ("can: CAN Network device driver and Netlink interface")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Vincent Mailhol <[email protected]>
Signed-off-by: Marc Kleine-Budde <[email protected]>

Author: vincent-mailhol

drivers/net/can/dev.c

@@ -592,11 +592,11 @@ static void can_restart(struct net_device *dev)
 
 	cf->can_id |= CAN_ERR_RESTARTED;
 
-	netif_rx_ni(skb);
-
 	stats->rx_packets++;
 	stats->rx_bytes += cf->len;
 
+	netif_rx_ni(skb);
+
 restart:
 	netdev_dbg(dev, "restarted\n");
 	priv->can_stats.restarts++;