--- /dev/null
+From 4a8737ff068724f509d583fef404d349adba80d6 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 10 Dec 2021 10:03:09 +0100
+Subject: can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 4a8737ff068724f509d583fef404d349adba80d6 upstream.
+
+The received data contains the channel the received data is associated
+with. If the channel number is bigger than the actual number of
+channels assume broken or malicious USB device and shut it down.
+
+This fixes the error found by clang:
+
+| drivers/net/can/usb/gs_usb.c:386:6: error: variable 'dev' is used
+| uninitialized whenever 'if' condition is true
+| if (hf->channel >= GS_MAX_INTF)
+| ^~~~~~~~~~~~~~~~~~~~~~~~~~
+| drivers/net/can/usb/gs_usb.c:474:10: note: uninitialized use occurs here
+| hf, dev->gs_hf_size, gs_usb_receive_bulk_callback,
+| ^~~
+
+Link: https://lore.kernel.org/all/20211210091158.408326-1-mkl@pengutronix.de
+Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/gs_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -303,7 +303,7 @@ static void gs_usb_receive_bulk_callback
+
+ /* device reports out of range channel id */
+ if (hf->channel >= GS_MAX_INTF)
+- goto resubmit_urb;
++ goto device_detach;
+
+ dev = usbcan->canch[hf->channel];
+
+@@ -388,6 +388,7 @@ static void gs_usb_receive_bulk_callback
+
+ /* USB failure take down all interfaces */
+ if (rc == -ENODEV) {
++ device_detach:
+ for (rc = 0; rc < GS_MAX_INTF; rc++) {
+ if (usbcan->canch[rc])
+ netif_device_detach(usbcan->canch[rc]->netdev);
--- /dev/null
+From 89d58aebe14a365c25ba6645414afdbf4e41cea4 Mon Sep 17 00:00:00 2001
+From: Brian Silverman <brian.silverman@bluerivertech.com>
+Date: Wed, 5 Jan 2022 16:29:50 -0800
+Subject: can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved}
+
+From: Brian Silverman <brian.silverman@bluerivertech.com>
+
+commit 89d58aebe14a365c25ba6645414afdbf4e41cea4 upstream.
+
+No information is deliberately sent in hf->flags in host -> device
+communications, but the open-source candleLight firmware echoes it
+back, which can result in the GS_CAN_FLAG_OVERFLOW flag being set and
+generating spurious ERRORFRAMEs.
+
+While there also initialize the reserved member with 0.
+
+Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
+Link: https://lore.kernel.org/all/20220106002952.25883-1-brian.silverman@bluerivertech.com
+Link: https://github.com/candle-usb/candleLight_fw/issues/87
+Cc: stable@vger.kernel.org
+Signed-off-by: Brian Silverman <brian.silverman@bluerivertech.com>
+[mkl: initialize the reserved member, too]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/gs_usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -491,6 +491,8 @@ static netdev_tx_t gs_can_start_xmit(str
+
+ hf->echo_id = idx;
+ hf->channel = dev->channel;
++ hf->flags = 0;
++ hf->reserved = 0;
+
+ cf = (struct can_frame *)skb->data;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
