If skb allocation fails, the pointer to struct can_frame is NULL. This is actually handled everywhere inside ctucan_err_interrupt() except for the only place.
Add the missed NULL check.
Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool.
Fixes: 2dcb8e8782d8 ("can: ctucanfd: add support for CTU CAN FD open-source IP core - bus independent part.") Cc: stable@vger.kernel.org Signed-off-by: Fedor Pchelkin pchelkin@ispras.ru --- drivers/net/can/ctucanfd/ctucanfd_base.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/net/can/ctucanfd/ctucanfd_base.c b/drivers/net/can/ctucanfd/ctucanfd_base.c index 64c349fd4600..f65c1a1e05cc 100644 --- a/drivers/net/can/ctucanfd/ctucanfd_base.c +++ b/drivers/net/can/ctucanfd/ctucanfd_base.c @@ -867,10 +867,12 @@ static void ctucan_err_interrupt(struct net_device *ndev, u32 isr) } break; case CAN_STATE_ERROR_ACTIVE: - cf->can_id |= CAN_ERR_CNT; - cf->data[1] = CAN_ERR_CRTL_ACTIVE; - cf->data[6] = bec.txerr; - cf->data[7] = bec.rxerr; + if (skb) { + cf->can_id |= CAN_ERR_CNT; + cf->data[1] = CAN_ERR_CRTL_ACTIVE; + cf->data[6] = bec.txerr; + cf->data[7] = bec.rxerr; + } break; default: netdev_warn(ndev, "unhandled error state (%d:%s)!\n",
Hello Fedor,
thanks for spotting the problem.
On Tuesday 14 of January 2025 16:21:38 Fedor Pchelkin wrote:
If skb allocation fails, the pointer to struct can_frame is NULL. This is actually handled everywhere inside ctucan_err_interrupt() except for the only place.
Add the missed NULL check.
Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool.
Fixes: 2dcb8e8782d8 ("can: ctucanfd: add support for CTU CAN FD open-source IP core - bus independent part.") Cc: stable@vger.kernel.org Signed-off-by: Fedor Pchelkin pchelkin@ispras.ru
Acked-by: Pavel Pisa pisa@cmp.felk.cvut.cz
drivers/net/can/ctucanfd/ctucanfd_base.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/net/can/ctucanfd/ctucanfd_base.c b/drivers/net/can/ctucanfd/ctucanfd_base.c index 64c349fd4600..f65c1a1e05cc 100644 --- a/drivers/net/can/ctucanfd/ctucanfd_base.c +++ b/drivers/net/can/ctucanfd/ctucanfd_base.c @@ -867,10 +867,12 @@ static void ctucan_err_interrupt(struct net_device *ndev, u32 isr) } break; case CAN_STATE_ERROR_ACTIVE:
cf->can_id |= CAN_ERR_CNT;cf->data[1] = CAN_ERR_CRTL_ACTIVE;cf->data[6] = bec.txerr;cf->data[7] = bec.rxerr;
if (skb) {cf->can_id |= CAN_ERR_CNT;cf->data[1] = CAN_ERR_CRTL_ACTIVE;cf->data[6] = bec.txerr;cf->data[7] = bec.rxerr;} break;
On 15/01/2025 at 00:21, Fedor Pchelkin wrote:
If skb allocation fails, the pointer to struct can_frame is NULL. This is actually handled everywhere inside ctucan_err_interrupt() except for the only place.
Add the missed NULL check.
Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool.
Fixes: 2dcb8e8782d8 ("can: ctucanfd: add support for CTU CAN FD open-source IP core - bus independent part.") Cc: stable@vger.kernel.org Signed-off-by: Fedor Pchelkin pchelkin@ispras.ru
Reviewed-by: Vincent Mailhol mailhol.vincent@wanadoo.fr
Yours sincerely, Vincent Mailhol
linux-stable-mirror@lists.linaro.org
-
Fedor Pchelkin -
Pavel Pisa -
Vincent Mailhol