Hello Fedor,
thanks for spotting the problem.
On Tuesday 14 of January 2025 16:21:38 Fedor Pchelkin wrote:
> If skb allocation fails, the pointer to struct can_frame is NULL. This
> is actually handled everywhere inside ctucan_err_interrupt() except for
> the only place.
>
> Add the missed NULL check.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE static
> analysis tool.
>
> Fixes: 2dcb8e8782d8 ("can: ctucanfd: add support for CTU CAN FD open-source
> IP core - bus independent part.") Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Fedor Pchelkin <pchelkin@xxxxxxxxx>
Acked-by: Pavel Pisa <pisa@xxxxxxxxxxxxxxxx>
> ---
> drivers/net/can/ctucanfd/ctucanfd_base.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/net/can/ctucanfd/ctucanfd_base.c
> b/drivers/net/can/ctucanfd/ctucanfd_base.c index 64c349fd4600..f65c1a1e05cc
> 100644
> --- a/drivers/net/can/ctucanfd/ctucanfd_base.c
> +++ b/drivers/net/can/ctucanfd/ctucanfd_base.c
> @@ -867,10 +867,12 @@ static void ctucan_err_interrupt(struct net_device
> *ndev, u32 isr) }
> break;
> case CAN_STATE_ERROR_ACTIVE:
> - cf->can_id |= CAN_ERR_CNT;
> - cf->data[1] = CAN_ERR_CRTL_ACTIVE;
> - cf->data[6] = bec.txerr;
> - cf->data[7] = bec.rxerr;
> + if (skb) {
> + cf->can_id |= CAN_ERR_CNT;
> + cf->data[1] = CAN_ERR_CRTL_ACTIVE;
> + cf->data[6] = bec.txerr;
> + cf->data[7] = bec.rxerr;
> + }
> break;
> default:
> netdev_warn(ndev, "unhandled error state (%d:%s)!\n",
--
Pavel Pisa
phone: +420 603531357
e-mail: pisa@xxxxxxxxxxxxxxxx
Department of Control Engineering FEE CVUT
Karlovo namesti 13, 121 35, Prague 2
university: http://control.fel.cvut.cz/
personal: http://cmp.felk.cvut.cz/~pisa
social: https://social.kernel.org/ppisa
projects: https://www.openhub.net/accounts/ppisa
CAN related:http://canbus.pages.fel.cvut.cz/
RISC-V education: https://comparch.edu.cvut.cz/
Open Technologies Research Education and Exchange Services
https://gitlab.fel.cvut.cz/otrees/org/-/wikis/home
