Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2963901pxj; Mon, 17 May 2021 14:16:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxiCKCOwRYassAoX9Km42USro3lFhLlLWjzKzz9R/3OjUjkYI/qHHUr+UyVN0r6zu3QbfI6 X-Received: by 2002:aa7:c718:: with SMTP id i24mr2324896edq.43.1621286191698; Mon, 17 May 2021 14:16:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621286191; cv=none; d=google.com; s=arc-20160816; b=AqVReAv131BYQnSipaQBfcAgsZc3KfAc37eEjP4iZOZWuMfbKHNHId1Fue5d0BntgP dK5Qo8UYGxhiPZZP5ZkPPa5/lsnTvPWM7/wIJrin/4qThEl9AWEZYb6VURZoEv4WgQFi 1VP1IYts/XS0TeH0eb50kG4RxRgwIzBTKd/lnu23hCkqNpO083TLGhtNuKIS+ouZhGir lviLv3WIjsjeKUPry4vbnbRPZ9o/z1fK2J1cPxi7jqypYBh5GcJWva/LX9PwqLLMglhs 11ScdcNd8M972zurzs69hXn+g8VOIpx3+ConXKLRGw8RKxWcegzZ1Cd+oH+hRkJ/GUR8 +JwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Imvhdt5UCQ0At0sZuXGzyv0Kk+HMgxcOeGDKQ79QXSA=; b=DdPWvFX1bvLp8CKR0fk77KfrLIFRMe8+YTEu9WghURAco20RLxfFRSomOMQmRFwEmc JvPp0cRXp42NB7mewG/tbV0ggJSxIq1LdhZJkXi212kO+ikt7SQbfyIV4WdXzo9Nv1qJ x0+P5nXWsJ5GLPtG0G1oGy0913t0IDj7sGcGJx1Ug65Ob3H2jywy5sI5qsJ6s4A/PCMG s2mofINPcbR+mcpgB2iLMWfc4AZyr5t7A3aMQzmLXNswka1XGo5Ge/vo/gUXx/rKSVsQ hHOO+qeC/v9Aj9m0JxwXOPCLscSBfkCgQqIIIHemnT+8YAV8Yf6vip+ViTtideQkvBTG KjHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=k9pzuuAY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l1si2761455edq.336.2021.05.17.14.16.08; Mon, 17 May 2021 14:16:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=k9pzuuAY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238237AbhEQOJs (ORCPT + 99 others); Mon, 17 May 2021 10:09:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:60672 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238019AbhEQOHL (ORCPT ); Mon, 17 May 2021 10:07:11 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3DCE46135C; Mon, 17 May 2021 14:05:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621260354; bh=DOfZvo4CKUnUhyiFQqb2bJV2N7uJhWIYyvNwVyHWo/w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=k9pzuuAY5u+Ei0X4pyTchYt/rMG3MtIrw8mNt8IFdYExoVbobd7a6cAGltZZWwF5l 35gph8exDPS1++7q41SAouL5L30rziRSmAgftrSvtE0fg5iULkfltnznuPqJY+id7E ck1JhrRk3VkvZbyK527m09nhXWFpYzoAPSYv9Tlw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marc Kleine-Budde , Sasha Levin Subject: [PATCH 5.12 044/363] can: dev: can_free_echo_skb(): dont crash the kernel if can_priv::echo_skb is accessed out of bounds Date: Mon, 17 May 2021 15:58:30 +0200 Message-Id: <20210517140304.093695566@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210517140302.508966430@linuxfoundation.org> References: <20210517140302.508966430@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marc Kleine-Budde [ Upstream commit 4168d079aa41498639b2c64b4583375bcdf360d9 ] A out of bounds access to "struct can_priv::echo_skb" leads to a kernel crash. Better print a sensible warning message instead and try to recover. This patch is similar to: | e7a6994d043a ("can: dev: __can_get_echo_skb(): Don't crash the kernel | if can_priv::echo_skb is accessed out of bounds") Link: https://lore.kernel.org/r/20210319142700.305648-2-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin --- drivers/net/can/dev/skb.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/dev/skb.c b/drivers/net/can/dev/skb.c index 6a64fe410987..c3508109263e 100644 --- a/drivers/net/can/dev/skb.c +++ b/drivers/net/can/dev/skb.c @@ -151,7 +151,11 @@ void can_free_echo_skb(struct net_device *dev, unsigned int idx) { struct can_priv *priv = netdev_priv(dev); - BUG_ON(idx >= priv->echo_skb_max); + if (idx >= priv->echo_skb_max) { + netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n", + __func__, idx, priv->echo_skb_max); + return; + } if (priv->echo_skb[idx]) { dev_kfree_skb_any(priv->echo_skb[idx]); -- 2.30.2