From patchwork Fri Jan 11 10:58:39 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Uwe_Kleine-K=C3=B6nig?= X-Patchwork-Id: 1023485 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43bfxS0jTmz9sBQ for ; Fri, 11 Jan 2019 21:58:52 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730389AbfAKK6u (ORCPT ); Fri, 11 Jan 2019 05:58:50 -0500 Received: from metis.ext.pengutronix.de ([85.220.165.71]:59561 "EHLO metis.ext.pengutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725789AbfAKK6u (ORCPT ); Fri, 11 Jan 2019 05:58:50 -0500 Received: from dude.hi.pengutronix.de ([2001:67c:670:100:1d::7]) by metis.ext.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1ghuWW-0006GI-Uy; Fri, 11 Jan 2019 11:58:48 +0100 Received: from ukl by dude.hi.pengutronix.de with local (Exim 4.92-RC4) (envelope-from ) id 1ghuWW-0002NG-25; Fri, 11 Jan 2019 11:58:48 +0100 From: =?utf-8?q?Uwe_Kleine-K=C3=B6nig?= To: Marc Kleine-Budde Cc: netdev@vger.kernel.org, linux-stable , linux-can@vger.kernel.org, kernel@pengutronix.de, davem@davemloft.net, Alexander Stein Subject: [PATCH v4.19.x] can: flexcan: fix out-of-bounds array access Date: Fri, 11 Jan 2019 11:58:39 +0100 Message-Id: <20190111105839.5301-1-u.kleine-koenig@pengutronix.de> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190111105619.gkf2735zlpe6qbxv@pengutronix.de> References: <20190111105619.gkf2735zlpe6qbxv@pengutronix.de> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:67c:670:100:1d::7 X-SA-Exim-Mail-From: ukl@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: netdev@vger.kernel.org Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org The loop body uses regs->mb[i], so i should not ensured to be smaller than ARRAY_SIZE(regs->mb). This change fixes a backtrace during boot on an i.MX25 based machine: [ 10.093464] Unhandled fault: external abort on non-linefetch (0x808) at 0xc89f4480 [ 10.101096] pgd = (ptrval) [ 10.103830] [c89f4480] *pgd=87885811, *pte=43f88653, *ppte=43f88552 [ 10.110174] Internal error: : 808 [#1] PREEMPT ARM [ 10.114988] Modules linked in: [ 10.118096] CPU: 0 PID: 680 Comm: ip Not tainted 4.19.13-20180926-1-00011-ga0dd04ff511f-dirty #7 [ 10.126904] Hardware name: Freescale i.MX25 (Device Tree Support) [ 10.133066] PC is at flexcan_write_le+0x0/0x8 [ 10.137469] LR is at flexcan_chip_start+0x450/0x474 [ 10.142373] pc : [] lr : [] psr: 20000013 [ 10.148658] sp : c6e0f900 ip : 00000000 fp : c708b000 [ 10.153903] r10: c0789a38 r9 : c89f4004 r8 : c89f4490 [ 10.159150] r7 : 00000000 r6 : c708b3e0 r5 : c89f4000 r4 : c89f4490 [ 10.165697] r3 : c0436f10 r2 : c0436f18 r1 : c89f4480 r0 : 00000000 [ 10.172249] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none [ 10.179407] Control: 0005317f Table: 86e40000 DAC: 00000051 [ 10.185173] Process ip (pid: 680, stack limit = 0x(ptrval)) [ 10.190768] Stack: (0xc6e0f900 to 0xc6e10000) [ 10.195168] f900: 00000080 c708b000 00000000 c70c0780 00000001 00040080 c06a4760 c6d15e10 [ 10.203388] f920: 00000000 c0438534 c708b000 c708b000 c708b000 c084d028 c06a4760 c0504924 [ 10.211603] f940: 00000000 0000003c ffffe000 c708b000 00000000 cf29b3e2 c708b000 c084d028 [ 10.219824] f960: 00040081 c0504d0c 000000be 00000000 c06a485c c6e0f9fc c708b000 cf29b3e2 [ 10.228040] f980: c084d028 c708b000 00000000 c708b138 00040080 c6e0fca0 c06a4760 c0504d94 [ 10.236258] f9a0: c708b000 c6e0fbd0 c084d028 c72346c0 c6e0fca0 c051b1cc 000000a1 0000000b [ 10.244479] f9c0: 00000002 c6e0fd6c c793b3b8 c708b000 c6e0fb0c c6e0fb0c c084d028 c6e0f9fc [ 10.252698] f9e0: c06a485c c708b3fc c708b000 c04364a4 00000000 c6d15e40 00000001 0000c350 [ 10.260915] fa00: 00000359 00000594 00000005 cf29b3e2 00000002 c708b000 00000000 00000000 [ 10.269132] fa20: c6d15e00 c6e0fb0c c084d7f8 c6e0fd6c 00000000 c051c0cc c6e0fbd0 c6e0fca0 [ 10.277348] fa40: 00000003 c032efa8 c08b1940 00000000 c72346c0 c6d15e10 0000007c c055c32c [ 10.285566] fa60: 00000000 c6d15e2c c6d15e34 00000000 00000000 00000000 0000fe88 c0856980 [ 10.293779] fa80: c6c8e920 0000007c 000005a8 00000000 0000007c 00000000 00000000 00000000 [ 10.301996] faa0: 00000000 0000fe88 00000000 c0042e14 00000000 00000000 00000000 00000000 [ 10.310213] fac0: c084d028 c00494b8 c7aa2150 c00341f8 f9b002f7 c004951c c7aa2150 cf29b3e2 [ 10.318429] fae0: c6d7497c c781bd00 c08c0554 00000000 00000000 c08c8968 c7a2b860 c00341f8 [ 10.326648] fb00: c084d028 c08569b0 c7aa2150 00000000 c6d15e40 00000000 00000000 00000000 [ 10.334861] fb20: 00000000 c6d15e38 00000000 00000000 00000000 00000000 00000000 00000000 [ 10.343078] fb40: 00000000 00000000 00000000 c6c7e200 c6e0fb84 c025a9bc 00000000 00000000 [ 10.351294] fb60: c6d74958 c025a9bc 00000000 c0335c90 c72f7e00 c00341f8 c6d74a78 c6d74ac0 [ 10.359513] fb80: c71af3e0 cf29b3e2 c6d164fc c781bd00 c08c0554 00000000 00000000 c08c8968 [ 10.367731] fba0: c7a2b860 c00341f8 c6e0fcd0 00000000 c6e0fcd0 c067849c c6cd6bc0 20000013 [ 10.375949] fbc0: ffffffe1 c6e0fc2c c084d028 c6d16640 00000000 00000000 00000000 00000000 [ 10.384164] fbe0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 10.392378] fc00: 00000000 c6d15e20 00000000 00000000 00000000 00000000 c6d15e28 00000000 [ 10.400595] fc20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 10.408808] fc40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 10.417024] fc60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 10.425237] fc80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 10.433454] fca0: c7711300 c08569b0 c7aa2150 00000009 006e6163 00000000 00000000 00000000 [ 10.441668] fcc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 10.449885] fce0: 00000000 00000000 00000000 cf29b3e2 c08c8010 c78f4440 00000000 c6d15e00 [ 10.458101] fd00: c084d028 c6e0fd6c c72346c0 c091bbc4 00000000 c0517800 c6e0fd64 00000000 [ 10.466318] fd20: 006200ca ffffe000 c77114b4 c6e0fdb4 c6e0fdb4 c065d938 0000000f cf29b3e2 [ 10.474537] fd40: 00000000 c72346c0 c05176e0 c084d028 c6d15e00 00000064 00000000 c084d028 [ 10.482750] fd60: 00000000 c053c710 00000000 00000000 00000000 00000000 00000000 00000000 [ 10.490966] fd80: 00000000 00000000 00000000 cf29b3e2 c790cc00 c6d82c00 00000064 c72346c0 [ 10.499184] fda0: c6e0fda8 c053bed0 7fffffff cf29b3e2 c6e0ff5c c084d028 c6d82c00 c72346c0 [ 10.507402] fdc0: 006000c0 00000064 00000000 c053c348 0000000c c6e0ff64 c084d028 00000000 [ 10.515616] fde0: c6e0fe38 00000008 c6cd6b40 00000000 000002a8 00000000 00000000 cf29b3e2 [ 10.523832] fe00: be84d778 c6e0ff5c 00000000 c084d028 00000000 c76ec060 00000000 c6e0fefc [ 10.532052] fe20: 00000000 c04e14d4 c6e0ff5c c04e1a40 c6e0fe54 00041000 00000000 be84d798 [ 10.540266] fe40: 00000064 c012d73c 00000000 004c4b40 00000000 c6e2a560 00000070 006200ca [ 10.548482] fe60: 00000031 00041000 c6e40000 c6e40000 00000000 00000000 00000000 00000010 [ 10.556697] fe80: 00000000 00000000 00000000 cf29b3e2 c6e0ffb0 c6e0ffb0 c7aa2120 c6d55ba0 [ 10.564915] fea0: 80000005 00041350 00000070 c00117f0 c6e0e000 00000000 be84cf44 c015733c [ 10.573133] fec0: c789a030 00000000 00000000 00000000 00000000 c01306f0 00000000 c08517b8 [ 10.581350] fee0: 00000005 c084d028 c0011a74 00041350 c6e0ffb0 00066328 be84df30 c0011c64 [ 10.589568] ff00: 0042a000 c6e2a630 c6e2a620 c0166f58 c6d55ba0 00000000 00000021 cf29b3e2 [ 10.597786] ff20: c6e2a630 c084d028 be84d72c 00000000 c76ec060 c00091e4 c6e0e000 00000000 [ 10.606004] ff40: 0008c000 c04e2a20 00000000 00000000 be84cf44 00000000 fffffff7 c6e0fe7c [ 10.614221] ff60: 0000000c 00000001 00000000 00000000 c6e0fe44 00000000 c00091e4 00000000 [ 10.622437] ff80: 00000000 00000000 00000000 cf29b3e2 c00091e4 00000000 be84de48 00041350 [ 10.630657] ffa0: 00000128 c0009000 00000000 be84de48 00000003 be84d72c 00000000 00000000 [ 10.638873] ffc0: 00000000 be84de48 00041350 00000128 5c3875b0 00000000 00066328 0008c000 [ 10.647091] ffe0: b6ee0000 be84d6d8 00062aa0 b6e70918 60000010 00000003 00000000 00000000 [ 10.655357] [] (flexcan_write_le) from [] (flexcan_chip_start+0x450/0x474) [ 10.664035] [] (flexcan_chip_start) from [] (flexcan_open+0xf8/0x144) [ 10.672278] [] (flexcan_open) from [] (__dev_open+0xe8/0x174) [ 10.679814] [] (__dev_open) from [] (__dev_change_flags+0x160/0x1c8) [ 10.687956] [] (__dev_change_flags) from [] (dev_change_flags+0x20/0x50) [ 10.696452] [] (dev_change_flags) from [] (do_setlink+0x360/0xa88) [ 10.704424] [] (do_setlink) from [] (rtnl_newlink+0x4a4/0x6f4) [ 10.712046] [] (rtnl_newlink) from [] (rtnetlink_rcv_msg+0x120/0x2f4) [ 10.720294] [] (rtnetlink_rcv_msg) from [] (netlink_rcv_skb+0xbc/0x118) [ 10.728707] [] (netlink_rcv_skb) from [] (netlink_unicast+0x184/0x1fc) [ 10.737028] [] (netlink_unicast) from [] (netlink_sendmsg+0x338/0x38c) [ 10.745363] [] (netlink_sendmsg) from [] (sock_sendmsg+0x1c/0x2c) [ 10.753254] [] (sock_sendmsg) from [] (___sys_sendmsg+0x210/0x22c) [ 10.761226] [] (___sys_sendmsg) from [] (__sys_sendmsg+0x54/0x94) [ 10.769103] [] (__sys_sendmsg) from [] (ret_fast_syscall+0x0/0x50) [ 10.777047] Exception stack(0xc6e0ffa8 to 0xc6e0fff0) [ 10.782132] ffa0: 00000000 be84de48 00000003 be84d72c 00000000 00000000 [ 10.790348] ffc0: 00000000 be84de48 00041350 00000128 5c3875b0 00000000 00066328 0008c000 [ 10.798551] ffe0: b6ee0000 be84d6d8 00062aa0 b6e70918 [ 10.803643] Code: e5813000 e12fff1e e5900000 e12fff1e (e5810000) [ 10.809769] ---[ end trace 1a4586e3b7840d04 ]--- Fixes: 24e5589791d0 ("can: flexcan: Always use last mailbox for TX") Signed-off-by: Uwe Kleine-König --- drivers/net/can/flexcan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c index 75ce11395ee8..ae219b8a7754 100644 --- a/drivers/net/can/flexcan.c +++ b/drivers/net/can/flexcan.c @@ -1004,7 +1004,7 @@ static int flexcan_chip_start(struct net_device *dev) } } else { /* clear and invalidate unused mailboxes first */ - for (i = FLEXCAN_TX_MB_RESERVED_OFF_FIFO; i <= ARRAY_SIZE(regs->mb); i++) { + for (i = FLEXCAN_TX_MB_RESERVED_OFF_FIFO; i < ARRAY_SIZE(regs->mb); i++) { priv->write(FLEXCAN_MB_CODE_RX_INACTIVE, ®s->mb[i].can_ctrl); }