On 1/11/19 12:20 PM, Uwe Kleine-König wrote:
> Commit cbffaf7aa09e ("can: flexcan: Always use last mailbox for TX")
> introduced a loop letting i run up to (including) ARRAY_SIZE(regs->mb)
> and in the body accessed regs->mb[i] which is an out-of-bounds array
> access that then resulted in an access to an reserved register area.
>
> Later this was changed by commit 0517961ccdf1 ("can: flexcan: Add
> provision for variable payload size") to iterate a bit differently but
> still runs one iteration too much resulting to call
>
> flexcan_get_mb(priv, priv->mb_count)
>
> which results in a WARN_ON and then a NULL pointer exception. This
> only affects devices compatible with "fsl,p1010-flexcan",
> "fsl,imx53-flexcan", "fsl,imx35-flexcan", "fsl,imx25-flexcan",
> "fsl,imx28-flexcan", so newer i.MX SoCs are not affected.
>
> Fixes: cbffaf7aa09e ("can: flexcan: Always use last mailbox for TX")
> Signed-off-by: Uwe Kleine-König <[email protected]>Applied to linux-can Tnx, Marc -- Pengutronix e.K. | Marc Kleine-Budde | Industrial Linux Solutions | Phone: +49-231-2826-924 | Vertretung West/Dortmund | Fax: +49-5121-206917-5555 | Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
signature.asc
Description: OpenPGP digital signature
