- 17 Nov, 2020 12 commits
-
-
Zhang Changzhong authored
Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 39a6f4bc ("b44: replace the ssb_dma API with the generic DMA API") Reported-by:
Hulk Robot <hulkci@huawei.com> Signed-off-by:
Zhang Changzhong <zhangchangzhong@huawei.com> Reviewed-by:
Michael Chan <michael.chan@broadcom.com> Link: https://lore.kernel.org/r/1605582131-36735-1-git-send-email-zhangchangzhong@huawei.comSigned-off-by:
Jakub Kicinski <kuba@kernel.org>
-
Zhang Changzhong authored
Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 469981b1 ("qed: Add unaligned and packed packet processing") Fixes: fcb39f6c ("qed: Add mpa buffer descriptors for storing and processing mpa fpdus") Fixes: 1e28eaad ("qed: Add iWARP support for fpdu spanned over more than two tcp packets") Reported-by:
-
Jakub Kicinski authored
Michael Chan says: ==================== bnxt_en: Bug fixes. This first patch fixes a module eeprom A2h addressing issue. The next 2 patches fix counter related issues. The last one skips an unsupported firmware call on the VF to avoid the error log. ==================== Link: https://lore.kernel.org/r/1605486472-28156-1-git-send-email-michael.chan@broadcom.comSigned-off-by:
-
Vasundhara Volam authored
VFs do not have access permissions to issue NVM_GET_DEV_INFO firmware command. Fixes: 4933f675 ("bnxt_en: Add bnxt_hwrm_nvm_get_dev_info() to query NVM info.") Signed-off-by:
Vasundhara Volam <vasundhara-v.volam@broadcom.com> Signed-off-by:
-
Michael Chan authored
bnxt_add_one_ctr() adds a hardware counter to a software counter and adjusts for the hardware counter wraparound against the mask. The logic assumes that the hardware counter is always smaller than or equal to the mask. This assumption is mostly correct. But in some cases if the firmware is older and does not provide the accurate mask, the driver can use a mask that is smaller than the actual hardware mask. This can cause some extra carry bits to be added to the software counter, resulting in counters that far exceed the actual value. Fix it by masking the hardware counter with the mask passed into bnxt_add_one_ctr(). Fixes: fea6b333 ("bnxt_en: Accumulate all counters.") Reviewed-by:
Pavan Chebbi <pavan.chebbi@broadcom.com> Reviewed-by:
Edwin Peer <edwin.peer@broadcom.com> Signed-off-by:
-
Michael Chan authored
Firmware is unable to retain the port counters during any kind of fatal or non-fatal resets, so we must clear the port counters to avoid false detection of port counter overflow. Fixes: fea6b333 ("bnxt_en: Accumulate all counters.") Reviewed-by:
-
Edwin Peer authored
The module eeprom address range returned by bnxt_get_module_eeprom() should be 256 bytes of A0h address space, the lower half of the A2h address space, and page 0 for the upper half of the A2h address space. Fix the firmware call by passing page_number 0 for the A2h slave address space. Fixes: 42ee18fe ("bnxt_en: Add Support for ETHTOOL_GMODULEINFO and ETHTOOL_GMODULEEEPRO") Signed-off-by:
-
Alex Elder authored
Transactions sit on one of several lists, depending on their state (allocated, pending, complete, or polled). A spinlock protects against concurrent access when transactions are moved between these lists. Transactions are also reference counted. A newly-allocated transaction has an initial count of 1; a transaction is released in gsi_trans_free() only if its decremented reference count reaches 0. Releasing a transaction includes removing it from the polled (or if unused, allocated) list, so the spinlock is acquired when we release a transaction. The reference count is used to allow a caller to synchronously wait for a committed transaction to complete. In this case, the waiter takes an extra reference to the transaction *before* committing it (so it won't be freed), and releases its reference (calls gsi_trans_free()) when it is done with it. Similarly, gsi_channel_update() takes an extra reference to ensure a transaction isn't released before the function is done operating on it. Until the transaction is moved to the completed list (by this function) it won't be freed, so this reference is taken "safely." But in the quiesce path, we want to wait for the "last" transaction, which we find in the completed or polled list. Transactions on these lists can be freed at any time, so we (try to) prevent that by taking the reference while holding the spinlock. Currently gsi_trans_free() decrements a transaction's reference count unconditionally, acquiring the lock to remove the transaction from its list *only* when the count reaches 0. This does not protect the quiesce path, which depends on the lock to ensure its extra reference prevents release of the transaction. Fix this by only dropping the last reference to a transaction in gsi_trans_free() while holding the spinlock. Fixes: 9dd441e4 ("soc: qcom: ipa: GSI transactions") Reported-by:
Stephen Boyd <swboyd@chromium.org> Signed-off-by:
Alex Elder <elder@linaro.org> Link: https://lore.kernel.org/r/20201114182017.28270-1-elder@linaro.orgSigned-off-by:
-
Vadim Fedorenko authored
If tcp socket has more data than Encrypted Handshake Message then tls_sw_recvmsg will try to decrypt next record instead of returning full control message to userspace as mentioned in comment. The next message - usually Application Data - gets corrupted because it uses zero copy for decryption that's why the data is not stored in skb for next iteration. Revert check to not decrypt next record if current is not Application Data. Fixes: 692d7b5d ("tls: Fix recvmsg() to be able to peek across multiple records") Signed-off-by:
Vadim Fedorenko <vfedorenko@novek.ru> Link: https://lore.kernel.org/r/1605413760-21153-1-git-send-email-vfedorenko@novek.ruSigned-off-by:
-
Subash Abhinov Kasiviswanathan authored
During rmnet unregistration, the real device rx_handler is first cleared followed by the removal of rx_handler_data after the rcu synchronization. Any packets in the receive path may observe that the rx_handler is NULL. However, there is no check when dereferencing this value to use the rmnet_port information. This fixes following splat by adding the NULL check. Unable to handle kernel NULL pointer dereference at virtual address 000000000000000d pc : rmnet_rx_handler+0x124/0x284 lr : rmnet_rx_handler+0x124/0x284 rmnet_rx_handler+0x124/0x284 __netif_receive_skb_core+0x758/0xd74 __netif_receive_skb+0x50/0x17c process_backlog+0x15c/0x1b8 napi_poll+0x88/0x284 net_rx_action+0xbc/0x23c __do_softirq+0x20c/0x48c Fixes: ceed73a2 ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation") Signed-off-by:
Sean Tranchetti <stranche@codeaurora.org> Signed-off-by:
Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> Link: https://lore.kernel.org/r/1605298325-3705-1-git-send-email-subashab@codeaurora.orgSigned-off-by:
-
Lorenzo Bianconi authored
Recycle the page running page_pool_put_full_page() in mvneta_swbm_add_rx_fragment routine when the last descriptor contains just the FCS or if the received packet contains more than MAX_SKB_FRAGS fragments Fixes: ca0e0146 ("net: mvneta: move skb build after descriptors processing") Signed-off-by:
Lorenzo Bianconi <lorenzo@kernel.org> Link: https://lore.kernel.org/r/df6a2bad70323ee58d3901491ada31c1ca2a40b9.1605291228.git.lorenzo@kernel.orgSigned-off-by:
-
Wong Vee Khee authored
Fix an issue where dump stack is printed on suspend resume flow due to netif_set_real_num_rx_queues() is not called with rtnl_lock held(). Fixes: 686cff3d ("net: stmmac: Fix incorrect location to set real_num_rx|tx_queues") Reported-by:
Christophe ROULLIER <christophe.roullier@st.com> Tested-by:
Ong Boon Leong <boon.leong.ong@intel.com> Signed-off-by:
Wong Vee Khee <vee.khee.wong@intel.com> Link: https://lore.kernel.org/r/20201115074210.23605-1-vee.khee.wong@intel.comSigned-off-by:
-
- 16 Nov, 2020 13 commits
-
-
Heiner Kallweit authored
In br_forward.c and br_input.c fields dev->stats.tx_dropped and dev->stats.multicast are populated, but they are ignored in ndo_get_stats64. Fixes: 28172739 ("net: fix 64 bit counters on 32 bit arches") Signed-off-by:
Heiner Kallweit <hkallweit1@gmail.com> Link: https://lore.kernel.org/r/58ea9963-77ad-a7cf-8dfd-fc95ab95f606@gmail.comSigned-off-by:
-
Zhang Changzhong authored
Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 83a8471b ("net: ethernet: ti: cpsw: refactor probe to group common hw initialization") Reported-by:
-
Zhang Changzhong authored
Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 9efc9b2b ("net: stmmac: Add dwmac-intel-plat for GBE driver") Reported-by:
-
Zhang Changzhong authored
Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 3ced0a88 ("qlcnic: Add support to run firmware POST") Reported-by:
-
Zhang Changzhong authored
Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: ca139d76 ("cx82310_eth: re-enable ethernet mode after router reboot") Reported-by:
-
Raju Rangoju authored
Update cxgb4 and cxgb3 driver maintainer Signed-off-by:
Raju Rangoju <rajur@chelsio.com> Link: https://lore.kernel.org/r/20201116104322.3959-1-rajur@chelsio.comSigned-off-by:
-
Martin Blumenstingl authored
A user reports (slightly shortened from the original message): libphy: lantiq,xrx200-mdio: probed mdio_bus 1e108000.switch-mii: MDIO device at address 17 is missing. gswip 1e108000.switch lan: no phy at 2 gswip 1e108000.switch lan: failed to connect to port 2: -19 lantiq,xrx200-net 1e10b308.eth eth0: error -19 setting up slave phy This is a single-port board using the internal Fast Ethernet PHY. The user reports that switching to PHY scanning instead of configuring the PHY within device-tree works around this issue. The documentation for the standalone variant of the PHY11G (which is probably very similar to what is used inside the xRX200 SoCs but having the firmware burnt onto that standalone chip in the factory) states that the PHY needs 300ms to be ready for MDIO communication after releasing the reset. Add a 300ms delay after initializing all GPHYs to ensure that the GPHY firmware had enough time to initialize and to appear on the MDIO bus. Unfortunately there is no (known) documentation on what the minimum time to wait after releasing the reset on an internal PHY so play safe and take the one for the external variant. Only wait after the last GPHY firmware is loaded to not slow down the initialization too much ( xRX200 has two GPHYs but newer SoCs have at least three GPHYs). Fixes: 14fceff4 ("net: dsa: Add Lantiq / Intel DSA driver for vrx200") Reviewed-by:
Andrew Lunn <andrew@lunn.ch> Signed-off-by:
Martin Blumenstingl <martin.blumenstingl@googlemail.com> Acked-by:
Hauke Mehrtens <hauke@hauke-m.de> Reviewed-by:
Florian Fainelli <f.fainelli@gmail.com> Link: https://lore.kernel.org/r/20201115165757.552641-1-martin.blumenstingl@googlemail.comSigned-off-by:
-
Xie He authored
Martin Schiller is an active developer and reviewer for the X.25 code. His company is providing products based on the Linux X.25 stack. So he is a good candidate for maintainers of the X.25 code. The original maintainer of the X.25 network layer (Andrew Hendry) has not sent any email to the netdev mail list since 2013. So he is probably inactive now. Cc: Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by:
Xie He <xie.he.0141@gmail.com> Acked-by:
Martin Schiller <ms@dev.tdt.de> Link: https://lore.kernel.org/r/20201114111029.326972-1-xie.he.0141@gmail.comSigned-off-by:
-
Georg Kohmann authored
Packets are processed even though the first fragment don't include all headers through the upper layer header. This breaks TAHI IPv6 Core Conformance Test v6LC.1.3.6. Referring to RFC8200 SECTION 4.5: "If the first fragment does not include all headers through an Upper-Layer header, then that fragment should be discarded and an ICMP Parameter Problem, Code 3, message should be sent to the source of the fragment, with the Pointer field set to zero." The fragment needs to be validated the same way it is done in commit 2efdaaaf ("IPv6: reply ICMP error if the first fragment don't include all headers") for ipv6. Wrap the validation into a common function, ipv6_frag_thdr_truncated() to check for truncation in the upper layer header. This validation does not fullfill all aspects of RFC 8200, section 4.5, but is at the moment sufficient to pass mentioned TAHI test. In netfilter, utilize the fragment offset returned by find_prev_fhdr() to let ipv6_frag_thdr_truncated() start it's traverse from the fragment header. Return 0 to drop the fragment in the netfilter. This is the same behaviour as used on other protocol errors in this function, e.g. when nf_ct_frag6_queue() returns -EPROTO. The Fragment will later be picked up by ipv6_frag_rcv() in reassembly.c. ipv6_frag_rcv() will then send an appropriate ICMP Parameter Problem message back to the source. References commit 2efdaaaf ("IPv6: reply ICMP error if the first fragment don't include all headers") Signed-off-by:
Georg Kohmann <geokohma@cisco.com> Acked-by:
Pablo Neira Ayuso <pablo@netfilter.org> Link: https://lore.kernel.org/r/20201111115025.28879-1-geokohma@cisco.comSigned-off-by:
-
Jakub Kicinski authored
Zhang Qilong says: ==================== Fix usage counter leak by adding a general sync ops In many case, we need to check return value of pm_runtime_get_sync, but it brings a trouble to the usage counter processing. Many callers forget to decrease the usage counter when it failed, which could resulted in reference leak. It has been discussed a lot[0][1]. So we add a function to deal with the usage counter for better coding and view. Then, we replace pm_runtime_resume_and_get with it in fec_main.c to avoid it. [0] https://lkml.org/lkml/2020/6/14/88 [1] https://patchwork.ozlabs.org/project/linux-tegra/list/?series=178139 ==================== Link: https://lore.kernel.org/r/20201110092933.3342784-1-zhangqilong3@huawei.comSigned-off-by:
-
Zhang Qilong authored
pm_runtime_get_sync() will increment pm usage at first and it will resume the device later. If runtime of the device has error or device is in inaccessible state(or other error state), resume operation will fail. If we do not call put operation to decrease the reference, it will result in reference count leak. Moreover, this device cannot enter the idle state and always stay busy or other non-idle state later. So we fixed it by replacing it with pm_runtime_resume_and_get. Fixes: 8fff755e ("net: fec: Ensure clocks are enabled while using mdio bus") Signed-off-by:
Zhang Qilong <zhangqilong3@huawei.com> Signed-off-by:
-
Zhang Qilong authored
In many case, we need to check return value of pm_runtime_get_sync, but it brings a trouble to the usage counter processing. Many callers forget to decrease the usage counter when it failed, which could resulted in reference leak. It has been discussed a lot[0][1]. So we add a function to deal with the usage counter for better coding. [0]https://lkml.org/lkml/2020/6/14/88 [1]https://patchwork.ozlabs.org/project/linux-tegra/list/?series=178139Signed-off-by:
Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by:
-
Jakub Kicinski authored
Merge tag 'linux-can-fixes-for-5.10-20201115' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2020-11-15 Anant Thazhemadam contributed two patches for the AF_CAN that prevent potential access of uninitialized member in can_rcv() and canfd_rcv(). The next patch is by Alejandro Concepcion Rodriguez and changes can_restart() to use the correct function to push a skb into the networking stack from process context. Zhang Qilong's patch fixes a memory leak in the error path of the ti_hecc's probe function. A patch by me fixes mcba_usb_start_xmit() function in the mcba_usb driver, to first fill the skb and then pass it to can_put_echo_skb(). Colin Ian King's patch fixes a potential integer overflow on shift in the peak_usb driver. The next two patches target the flexcan driver, a patch by me adds the missing "req_bit" to the stop mode property comment (which was broken during net-next for v5.10). Zhang Qilong's patch fixes the failure handling of pm_runtime_get_sync(). The next seven patches target the m_can driver including the tcan4x5x spi driver glue code. Enric Balletbo i Serra's patch for the tcan4x5x Kconfig fix the REGMAP_SPI dependency handling. A patch by me for the tcan4x5x driver's probe() function adds missing error handling to for devm_regmap_init(), and in tcan4x5x_can_remove() the order of deregistration is fixed. Wu Bo's patch for the m_can driver fixes the state change handling in m_can_handle_state_change(). Two patches by Dan Murphy first introduce m_can_class_free_dev() and then make use of it to fix the freeing of the can device. A patch by Faiz Abbas add a missing shutdown of the CAN controller in the m_can_stop() function. * tag 'linux-can-fixes-for-5.10-20201115' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can: can: m_can: m_can_stop(): set device to software init mode before closing can: m_can: Fix freeing of can device from peripherials can: m_can: m_can_class_free_dev(): introduce new function can: m_can: m_can_handle_state_change(): fix state change can: tcan4x5x: tcan4x5x_can_remove(): fix order of deregistration can: tcan4x5x: tcan4x5x_can_probe(): add missing error checking for devm_regmap_init() can: tcan4x5x: replace depends on REGMAP_SPI with depends on SPI can: flexcan: fix failure handling of pm_runtime_get_sync() can: flexcan: flexcan_setup_stop_mode(): add missing "req_bit" to stop mode property comment can: peak_usb: fix potential integer overflow on shift of a int can: mcba_usb: mcba_usb_start_xmit(): first fill skb, then pass to can_put_echo_skb() can: ti_hecc: Fix memleak in ti_hecc_probe can: dev: can_restart(): post buffer from the right context can: af_can: prevent potential access of uninitialized member in canfd_rcv() can: af_can: prevent potential access of uninitialized member in can_rcv() ==================== Link: https://lore.kernel.org/r/20201115174131.2089251-1-mkl@pengutronix.deSigned-off-by:
-
- 15 Nov, 2020 15 commits
-
-
Faiz Abbas authored
There might be some requests pending in the buffer when the interface close sequence occurs. In some devices, these pending requests might lead to the module not shutting down properly when m_can_clk_stop() is called. Therefore, move the device to init state before potentially powering it down. Fixes: e0d1f481 ("can: m_can: add Bosch M_CAN controller support") Signed-off-by:
Faiz Abbas <faiz_abbas@ti.com> Acked-by:
Dan Murphy <dmurphy@ti.com> Link: https://lore.kernel.org/r/20200825055442.16994-1-faiz_abbas@ti.comSigned-off-by:
Marc Kleine-Budde <mkl@pengutronix.de>
-
Dan Murphy authored
Fix leaking netdev device from peripherial devices. The call to allocate the netdev device is made from and managed by the peripherial. Fixes: f524f829 ("can: m_can: Create a m_can platform framework") Reported-by:
-
Dan Murphy authored
This patch creates a common function that peripherials can call to free the netdev device when failures occur. Fixes: f524f829 ("can: m_can: Create a m_can platform framework") Reported-by:
-
Wu Bo authored
m_can_handle_state_change() is called with the new_state as an argument. In the switch statements for CAN_STATE_ERROR_ACTIVE, the comment and the following code indicate that a CAN_STATE_ERROR_WARNING is handled. This patch fixes this problem by changing the case to CAN_STATE_ERROR_WARNING. Signed-off-by:
Wu Bo <wubo.oduw@gmail.com> Link: http://lore.kernel.org/r/20200129022330.21248-2-wubo.oduw@gmail.com Cc: Dan Murphy <dmurphy@ti.com> Fixes: e0d1f481 ("can: m_can: add Bosch M_CAN controller support") Signed-off-by:
-
Marc Kleine-Budde authored
Change the order in tcan4x5x_can_remove() to be the exact inverse of tcan4x5x_can_probe(). First m_can_class_unregister(), then power down the device. Fixes: 5443c226 ("can: tcan4x5x: Add tcan4x5x driver to the kernel") Cc: Dan Murphy <dmurphy@ti.com> Link: http://lore.kernel.org/r/20201019154233.1262589-10-mkl@pengutronix.deSigned-off-by:
-
Marc Kleine-Budde authored
This patch adds the missing error checking when initializing the regmap interface fails. Fixes: 5443c226 ("can: tcan4x5x: Add tcan4x5x driver to the kernel") Cc: Dan Murphy <dmurphy@ti.com> Link: http://lore.kernel.org/r/20201019154233.1262589-7-mkl@pengutronix.deSigned-off-by:
-
Enric Balletbo i Serra authored
regmap is a library function that gets selected by drivers that need it. No driver modules should depend on it. Instead depends on SPI and select REGMAP_SPI. Depending on REGMAP_SPI makes this driver only build if another driver already selected REGMAP_SPI, as the symbol can't be selected through the menu kernel configuration. Signed-off-by:
Enric Balletbo i Serra <enric.balletbo@collabora.com> Link: http://lore.kernel.org/r/20200413141013.506613-1-enric.balletbo@collabora.comReviewed-by:
-
Zhang Qilong authored
pm_runtime_get_sync() will increment pm usage at first and it will resume the device later. If runtime of the device has error or device is in inaccessible state(or other error state), resume operation will fail. If we do not call put operation to decrease the reference, it will result in reference leak in the two functions flexcan_get_berr_counter() and flexcan_open(). Moreover, this device cannot enter the idle state and always stay busy or other non-idle state later. So we should fix it through adding pm_runtime_put_noidle(). Fixes: ca109896 ("can: flexcan: implement can Runtime PM") Signed-off-by:
-
Marc Kleine-Budde authored
In the patch d9b081e3 ("can: flexcan: remove ack_grp and ack_bit handling from driver") the unused ack_grp and ack_bit were removed from the driver. However in the comment, the "req_bit" was accidentally removed, too. This patch adds back the "req_bit" bit. Fixes: d9b081e3 ("can: flexcan: remove ack_grp and ack_bit handling from driver") Reported-by:Joakim Zhang <qiangqing.zhang@nxp.com> Link: http://lore.kernel.org/r/20201014114810.2911135-1-mkl@pengutronix.deSigned-off-by:
-
Colin Ian King authored
The left shift of int 32 bit integer constant 1 is evaluated using 32 bit arithmetic and then assigned to a signed 64 bit variable. In the case where time_ref->adapter->ts_used_bits is 32 or more this can lead to an oveflow. Avoid this by shifting using the BIT_ULL macro instead. Fixes: bb478555 ("can: usb: PEAK-System Technik USB adapters driver core") Signed-off-by:
Colin Ian King <colin.king@canonical.com> Link: https://lore.kernel.org/r/20201105112427.40688-1-colin.king@canonical.comSigned-off-by:
-
Marc Kleine-Budde authored
The driver has to first fill the skb with data and then handle it to can_put_echo_skb(). This patch moves the can_put_echo_skb() down, right before sending the skb out via USB. Fixes: 51f3baad ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") Cc: Remigiusz Kołłątaj <remigiusz.kollataj@mobica.com> Link: https://lore.kernel.org/r/20201111221204.1639007-1-mkl@pengutronix.deSigned-off-by:
-
Zhang Qilong authored
In the error handling, we should goto the probe_exit_candev to free ndev to prevent memory leak. Fixes: dabf54dd ("can: ti_hecc: Convert TI HECC driver to DT only driver") Signed-off-by:
-
Alejandro Concepcion Rodriguez authored
netif_rx() is meant to be called from interrupt contexts. can_restart() may be called by can_restart_work(), which is called from a worqueue, so it may run in process context. Use netif_rx_ni() instead. Fixes: 39549eef ("can: CAN Network device driver and Netlink interface") Co-developed-by:
Loris Fauster <loris.fauster@ttcontrol.com> Signed-off-by:
Alejandro Concepcion Rodriguez <alejandro@acoro.eu> Link: https://lore.kernel.org/r/4e84162b-fb31-3a73-fa9a-9438b4bd5234@acoro.eu [mkl: use netif_rx_ni() instead of netif_rx_any_context()] Signed-off-by:
-
Anant Thazhemadam authored
In canfd_rcv(), cfd->len is uninitialized when skb->len = 0, and this uninitialized cfd->len is accessed nonetheless by pr_warn_once(). Fix this uninitialized variable access by checking cfd->len's validity condition (cfd->len > CANFD_MAX_DLEN) separately after the skb->len's condition is checked, and appropriately modify the log messages that are generated as well. In case either of the required conditions fail, the skb is freed and NET_RX_DROP is returned, same as before. Fixes: d4689846 ("can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once") Reported-by: syzbot+9bcb0c9409066696d3aa@syzkaller.appspotmail.com Tested-by:
Anant Thazhemadam <anant.thazhemadam@gmail.com> Signed-off-by:
-
Anant Thazhemadam authored
In can_rcv(), cfd->len is uninitialized when skb->len = 0, and this uninitialized cfd->len is accessed nonetheless by pr_warn_once(). Fix this uninitialized variable access by checking cfd->len's validity condition (cfd->len > CAN_MAX_DLEN) separately after the skb->len's condition is checked, and appropriately modify the log messages that are generated as well. In case either of the required conditions fail, the skb is freed and NET_RX_DROP is returned, same as before. Fixes: 8cb68751 ("can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once") Reported-by: syzbot+9bcb0c9409066696d3aa@syzkaller.appspotmail.com Tested-by:
-
