Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp948739pxp;
        Wed, 16 Mar 2022 22:19:22 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwaGZyoG/3yV623uOyNr76R0D58OCQovQamI6q+4jlEACx6el+SYW1ojpqVrY2xCtV7tnbH
X-Received: by 2002:a17:902:dacc:b0:151:c216:2772 with SMTP id q12-20020a170902dacc00b00151c2162772mr2822528plx.107.1647494362492;
        Wed, 16 Mar 2022 22:19:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1647494362; cv=none;
        d=google.com; s=arc-20160816;
        b=kQIYuIhEBIefSeGcBf1n0ile8fmzDQgrM8c4Wfc3eqw5mFSzfUnY2LNcYi0wVSrhTv
         WU5CC9dgFgIucWUk0MXVeTvxr6j2KuMwRlHwylFRJjcpR3yjkDeAJPQ+8YJzQcXAqhEO
         0DiIWv54HMz/b8mosswWsAB5fdcQfRO/vsMmhvsANxyNsRSbPDqjAbXqZ/Wis0+My+bJ
         D9J1EbIlfqbyjpO1J4fKiIxK1VeZqs2PmOa/PHl7VRXWe39Ii5kiHI6uG4BLa0fA5Rf6
         FOwpoZkcHgU1Qn18G3VWZ9yQ9lH+HUQ28WMXX1aSd3pDYnwYfkh1tziwfwaAP2+ryWaM
         QjUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=bW9+q/9DwRXDLHNrIZZ/P9kRXSJfYeSaV3DA8Q5JRv4=;
        b=eyjjQH7k2zym+oYOY5CWAjcGxNLlFhJlhcq2JD4OWKDCo1QDG+pLapI8AVNZfEIZYT
         2MS4N/OmnLGizfOxoB72kye3/xOtIKkU0BhgT8bYVTIjppFNqzaSVGfodzHILddbNfdg
         hnqlAGjokNiOmjB8S+DZ/Ui7DNNaU59x2y2zKXmvChNfuRxemhZl4r6nPoEgAw8Q8Uiz
         l8QGbOaMKQkJothkUm3dgqxynXnClcnnPyZgdE5d3I0KEGLxCtjlxrbPP0MVsZQmQZOf
         M+o6jGvNLCNiKtn5GY2otkTk9JQzn4LwEeldDDgD7Jg0BzraRl4TpqmxMFts/dPgQNdw
         hmMA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=b1peUcfk;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id e4-20020a63ae44000000b003729ecc3ae7si1083272pgp.2.2022.03.16.22.19.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Mar 2022 22:19:22 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=b1peUcfk;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5674D20C1B4;
	Wed, 16 Mar 2022 21:27:16 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243194AbiCQDDP (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 99 others); Wed, 16 Mar 2022 23:03:15 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60248 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229861AbiCQDDN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 16 Mar 2022 23:03:13 -0400
Received: from mail-pj1-x1042.google.com (mail-pj1-x1042.google.com [IPv6:2607:f8b0:4864:20::1042])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D5CF201BC;
        Wed, 16 Mar 2022 20:01:58 -0700 (PDT)
Received: by mail-pj1-x1042.google.com with SMTP id o6-20020a17090a9f8600b001c6562049d9so4281282pjp.3;
        Wed, 16 Mar 2022 20:01:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=bW9+q/9DwRXDLHNrIZZ/P9kRXSJfYeSaV3DA8Q5JRv4=;
        b=b1peUcfkYv9TPtgx1X3WqhvxAvkvLBXzLgo3imFWUVeEneSj5cJkwjJpfKC7cH62cK
         kBYhIDxUtoDhnEgQPxXvhmvrxwZE7eLAhd7ks1WzWBTvoiffZry/F1Lmi26i7czxJEw1
         wierKAuzuPU4eactCjcfxeRyQ+ark5rLYRRGXv/XLDGXky8yMv32FdQ0rvHEQdpA7coB
         xCaW2k2VE1FUPnk0ddzd2FoCrt9JjpirMvqPZ+8RMNIlKslGqjxDZITktHsQnJH8/wY7
         FV59ZHK4Y2i8m6mGvqerQcAtwVY07lpY+e9vK81Yt2iZhhXgzW0LWxIQ4G9ZtMbDmrhF
         4iWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=bW9+q/9DwRXDLHNrIZZ/P9kRXSJfYeSaV3DA8Q5JRv4=;
        b=lb2B+nnULV2+f2nkqjImX8KhSqKz5bYMtVMNJzkBWblN/Yq7t0iOQqXWKvqCrBGHQ4
         sTpRX3G0Y3iAav1wYBxL232N5kgp2Gsn7dOXhFMpKhox8bIM1Os1muNwitpNbYtvCtCW
         6otbIRMcl0JMZALgO6ihd3bSsV2Yk65XQTiY6BUoNs6uTgRiU48FXVdgYkxnZHXAK5zL
         XhH2JlKY0e3xf9L8Jr7c7i7ob26QYEntsLMIsJ4yH3kgayeXBm/AEwE1FjlkH9jKt/ut
         DliaeBh5bzYztXziSnhEWy9Q1czUCkPgDKZCKfjPQzutYQRC0YlMO4YG4LqFoyd+6U3u
         A8rw==
X-Gm-Message-State: AOAM531TwHMm38viV0yDZxxex57ehTuL7ixIg2g35cgSo+5YOElbUR9k
        88rINK3MUyfuWKQcP9+Dk9U=
X-Received: by 2002:a17:90b:1bc1:b0:1bf:7dc6:bc78 with SMTP id oa1-20020a17090b1bc100b001bf7dc6bc78mr2928126pjb.122.1647486118027;
        Wed, 16 Mar 2022 20:01:58 -0700 (PDT)
Received: from slim.das-security.cn ([103.84.139.54])
        by smtp.gmail.com with ESMTPSA id o5-20020a056a0015c500b004f7988f16c3sm5015705pfu.30.2022.03.16.20.01.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Mar 2022 20:01:57 -0700 (PDT)
From:   Hangyu Hua <hbh25y@gmail.com>
To:     rcsekar@samsung.com, wg@grandegger.com, mkl@pengutronix.de,
        davem@davemloft.net, kuba@kernel.org
Cc:     linux-can@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, Hangyu Hua <hbh25y@gmail.com>
Subject: [PATCH] can: m_can: fix a possible use after free in m_can_tx_handler()
Date:   Thu, 17 Mar 2022 11:01:43 +0800
Message-Id: <20220317030143.14668-1-hbh25y@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE,
	SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

can_put_echo_skb will clone skb then free the skb. It is better to avoid using
skb after can_put_echo_skb.

Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
 drivers/net/can/m_can/m_can.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
index 1a4b56f6fa8c..98be5742f4f5 100644
--- a/drivers/net/can/m_can/m_can.c
+++ b/drivers/net/can/m_can/m_can.c
@@ -1607,6 +1607,7 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
 	u32 cccr, fdflags;
 	int err;
 	int putidx;
+	unsigned int len = skb->len;
 
 	cdev->tx_skb = NULL;
 
@@ -1642,7 +1643,7 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
 		if (cdev->can.ctrlmode & CAN_CTRLMODE_FD) {
 			cccr = m_can_read(cdev, M_CAN_CCCR);
 			cccr &= ~CCCR_CMR_MASK;
-			if (can_is_canfd_skb(skb)) {
+			if (len == CANFD_MTU) {
 				if (cf->flags & CANFD_BRS)
 					cccr |= FIELD_PREP(CCCR_CMR_MASK,
 							   CCCR_CMR_CANFD_BRS);
-- 
2.25.1