Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2687872pxb; Tue, 13 Apr 2021 07:54:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyCqKBYqMtI1m0oBMUk/UgPWDS1ksj3ExV8yfQyhcOhnCpuEL5YsW1ok58EVFDWC1LvW3tc X-Received: by 2002:a05:6402:31ad:: with SMTP id dj13mr34540660edb.167.1618325697866; Tue, 13 Apr 2021 07:54:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618325697; cv=none; d=google.com; s=arc-20160816; b=i5O2ReijAqEC5nIK6JEEAJiRzgoEJDrR047aqUzQdR+KEmND7hh5Dyd9MXMnSwE8jK D6e4XFDVQcMctY//w4jH5O9+J0Bs8V3k32KKPvzRT+AFHPL7ycN3uG6Gu0vXqs0vSKpz Lpn0LigqXK/VXcJQIzOvg1fzxF4iHAPKgKKWivEEG2Ps3dZPg4x3ru1YUT8uGP/fV56f XUo39PnU7LB/7z4ZESL2HdndejzffO/IsnV3Hvhvvrmr8loEcYyocQHdL8KE5kKmqJGl urpJui3UvVosIl1u0PnB07xomCSfUOkMb7tZKvTeCMNZ6P8NTsADpMbbRdbUy6KK7IV/ NqaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=HXhKyaqP5cGM3mQ6X9htBHe3LBou8ZAGO87Bd28XRo0=; b=bw8S8pEXEmRUVBkcGD92TNyfqvsW+5OncNGDxUxFqW0OgwWk8BRYZwglQ08i8ar2nG B+ZRuXunsmE1B62qqfWDzjfilSNiz6GF9hgPGE56SpPQfjpyKKuOh0vK9Xp/AvX5f+F3 FU3ZxQFcBeaPcBHJ/+DLPXnKgNwY4zAm3Ts7B9Ku4fFO8D1JrNq99XdUK7x6lJ1xChvS CCBZXvspEhuB+gpVOsbvML8IdqaBwEx73qvVFxrUp+0zrLqMruKitCYJ6V806hWmBDBs 2dhz4PWoPCqGn2p0jlEetVQdw/8UqexHxbsd2/iq8jpbXj2MU4DwfwO9/DdbaF7zgl96 4VNw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h16si11058656edv.366.2021.04.13.07.54.34; Tue, 13 Apr 2021 07:54:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344669AbhDMMBM (ORCPT + 99 others); Tue, 13 Apr 2021 08:01:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54430 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240873AbhDMMBK (ORCPT ); Tue, 13 Apr 2021 08:01:10 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CA216C061756 for ; Tue, 13 Apr 2021 05:00:50 -0700 (PDT) Received: from gallifrey.ext.pengutronix.de ([2001:67c:670:201:5054:ff:fe8d:eefb] helo=bjornoya.blackshift.org) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lWHin-0003AO-AL; Tue, 13 Apr 2021 14:00:45 +0200 Received: from pengutronix.de (unknown [IPv6:2a03:f580:87bc:d400:d93:7b32:b325:ef5e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id 08F7F60DCD2; Tue, 13 Apr 2021 12:00:42 +0000 (UTC) Date: Tue, 13 Apr 2021 14:00:42 +0200 From: Marc Kleine-Budde To: Vincent Mailhol Cc: linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Arunachalam Santhanam , "David S . Miller" , Jakub Kicinski Subject: Re: [PATCH] can: etas_es58x: fix null pointer dereference when handling error frames Message-ID: <20210413120042.27sfrb4hgrr4ua7x@pengutronix.de> References: <20210413114242.2760-1-mailhol.vincent@wanadoo.fr> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="7vvsamthpjzsb2d4" Content-Disposition: inline In-Reply-To: <20210413114242.2760-1-mailhol.vincent@wanadoo.fr> X-SA-Exim-Connect-IP: 2001:67c:670:201:5054:ff:fe8d:eefb X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --7vvsamthpjzsb2d4 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 13.04.2021 20:42:42, Vincent Mailhol wrote: > During the handling of CAN bus errors, a CAN error SKB is allocated > using alloc_can_err_skb(). Even if the allocation of the SKB fails, > the function continues in order to do the stats handling. >=20 > All access to the can_frame pointer (cf) should be guarded by an if > statement: > if (cf) >=20 > However, the increment of the rx_bytes stats: > netdev->stats.rx_bytes +=3D cf->can_dlc; > dereferences the cf pointer and was not guarded by an if condition > leading to a NULL pointer dereference if the can_err_skb() function > failed. >=20 > Replacing the cf->can_dlc by the macro CAN_ERR_DLC (which is the > length of any CAN error frames) solves this NULL pointer dereference. >=20 > Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CA= N USB interfaces") > Reported-by: Arunachalam Santhanam > Signed-off-by: Vincent Mailhol > --- > Hi Marc, >=20 > I am really sorry, but I was just notified about this issue litteraly > a few minutes after you send the pull request to net-next. :D > I am not sure how to proceed. You might either cancel the pull request > and squash this to 8537257874e9 ("can: etas_es58x: add core support > for ETAS ES58X CAN USB interfaces") or send it as a separate patch. >=20 > Please let me know if you need me to do anything. I'll send a follow-up pull request tomorrow. regards, Marc --=20 Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | --7vvsamthpjzsb2d4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEK3kIWJt9yTYMP3ehqclaivrt76kFAmB1h+cACgkQqclaivrt 76lw3wf8C32JuHk0dtao8qjHSHf9MLq8zaBkN4GxmtHvBMRajZUMxi3VgpXQcxon Mqu3zDFb57e+WD/7M0bbO2V3Blx6aH34uGKt+loMrZjDspJqo60Ut3yz4qT3sIzN mMIWYypg0Debofg4c9XKeKsTK5uq/5O7u24nhsGqRH6sw009mNVLB7T2ERaZmW9N cqpgkG4AzAaPvtgm89EmGSNWd7DsGJFtSZpyRFAu/86nxfx1w8+/qoNSvYs+HdXH Kn/X+lg3Znzd0GaSUa2YdIjveTZ7OFVw+ZfiTy8/AWcxEzfwrunTGJ7AJJIDR5oU xwLBtNNKnTvWuNUROuEADqozeiwNuA== =ILb7 -----END PGP SIGNATURE----- --7vvsamthpjzsb2d4--