diff mbox series

can: m_can: fix a possible use after free in m_can_tx_handler()

Message ID 20220317030143.14668-1-hbh25y@gmail.com (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series can: m_can: fix a possible use after free in m_can_tx_handler() | expand

Checks

Context Check Description
netdev/tree_selection success Series ignored based on subject

Commit Message

Hangyu Hua March 17, 2022, 3:01 a.m. UTC 
can_put_echo_skb will clone skb then free the skb. It is better to avoid using
skb after can_put_echo_skb.

Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
 drivers/net/can/m_can/m_can.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Marc Kleine-Budde March 17, 2022, 8:11 a.m. UTC | #1 
On 17.03.2022 11:01:43, Hangyu Hua wrote:
> can_put_echo_skb will clone skb then free the skb. It is better to avoid using
> skb after can_put_echo_skb.

Why not move the can_put_echo_skb() instead? I'll send a patch.

Marc
diff mbox series

Patch

diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
index 1a4b56f6fa8c..98be5742f4f5 100644
--- a/drivers/net/can/m_can/m_can.c
+++ b/drivers/net/can/m_can/m_can.c
@@ -1607,6 +1607,7 @@  static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
 	u32 cccr, fdflags;
 	int err;
 	int putidx;
+	unsigned int len = skb->len;
 
 	cdev->tx_skb = NULL;
 
@@ -1642,7 +1643,7 @@  static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
 		if (cdev->can.ctrlmode & CAN_CTRLMODE_FD) {
 			cccr = m_can_read(cdev, M_CAN_CCCR);
 			cccr &= ~CCCR_CMR_MASK;
-			if (can_is_canfd_skb(skb)) {
+			if (len == CANFD_MTU) {
 				if (cf->flags & CANFD_BRS)
 					cccr |= FIELD_PREP(CCCR_CMR_MASK,
 							   CCCR_CMR_CANFD_BRS);