On 1/11/19 12:20 PM, Uwe Kleine-König wrote: > Commit cbffaf7aa09e ("can: flexcan: Always use last mailbox for TX") > introduced a loop letting i run up to (including) ARRAY_SIZE(regs->mb) > and in the body accessed regs->mb[i] which is an out-of-bounds array > access that then resulted in an access to an reserved register area. > > Later this was changed by commit 0517961ccdf1 ("can: flexcan: Add > provision for variable payload size") to iterate a bit differently but > still runs one iteration too much resulting to call > > flexcan_get_mb(priv, priv->mb_count) > > which results in a WARN_ON and then a NULL pointer exception. This > only affects devices compatible with "fsl,p1010-flexcan", > "fsl,imx53-flexcan", "fsl,imx35-flexcan", "fsl,imx25-flexcan", > "fsl,imx28-flexcan", so newer i.MX SoCs are not affected. > > Fixes: cbffaf7aa09e ("can: flexcan: Always use last mailbox for TX") > Signed-off-by: Uwe Kleine-König <u.kleine-koenig@xxxxxxxxxxxxxx> Applied to linux-can Tnx, Marc -- Pengutronix e.K. | Marc Kleine-Budde | Industrial Linux Solutions | Phone: +49-231-2826-924 | Vertretung West/Dortmund | Fax: +49-5121-206917-5555 | Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
Attachment:
signature.asc
Description: OpenPGP digital signature