• Uwe Kleine-König's avatar
    can: flexcan: fix NULL pointer exception during bringup · 44486b29
    Uwe Kleine-König authored
    commit a55234da upstream.
    
    Commit cbffaf7a ("can: flexcan: Always use last mailbox for TX")
    introduced a loop letting i run up to (including) ARRAY_SIZE(regs->mb)
    and in the body accessed regs->mb[i] which is an out-of-bounds array
    access that then resulted in an access to an reserved register area.
    
    Later this was changed by commit 0517961c ("can: flexcan: Add
    provision for variable payload size") to iterate a bit differently but
    still runs one iteration too much resulting to call
    
    	flexcan_get_mb(priv, priv->mb_count)
    
    which results in a WARN_ON and then a NULL pointer exception. This
    only affects devices compatible with "fsl,p1010-flexcan",
    "fsl,imx53-flexcan", "fsl,imx35-flexcan", "fsl,imx25-flexcan",
    "fsl,imx28-flexcan", so newer i.MX SoCs are not affected.
    
    Fixes: cbffaf7a ("can: flexcan: Always use last mailbox for TX")
    Signed-off-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Cc: linux-stable <stable@vger.kernel.org> # >= 4.20
    Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    44486b29
Name
Last commit
Last update
..
c_can Loading commit data...
cc770 Loading commit data...
ifi_canfd Loading commit data...
m_can Loading commit data...
mscan Loading commit data...
peak_canfd Loading commit data...
rcar Loading commit data...
sja1000 Loading commit data...
softing Loading commit data...
spi Loading commit data...
usb Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
at91_can.c Loading commit data...
dev.c Loading commit data...
flexcan.c Loading commit data...
grcan.c Loading commit data...
janz-ican3.c Loading commit data...
led.c Loading commit data...
pch_can.c Loading commit data...
rx-offload.c Loading commit data...
slcan.c Loading commit data...
sun4i_can.c Loading commit data...
ti_hecc.c Loading commit data...
vcan.c Loading commit data...
vxcan.c Loading commit data...
xilinx_can.c Loading commit data...