Re: [bug report] Potential order bug in 'drivers/net/can/vxcan.c', primarily in 'vxcan_dellink()'

Linux CAN drivers development
 help / color / mirror / Atom feed

From: Oliver Hartkopp <socketcan@hartkopp.net>
To: Ginger <ginger.jzllee@gmail.com>, mkl@pengutronix.de
Cc: linux-can@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [bug report] Potential order bug in 'drivers/net/can/vxcan.c', primarily in 'vxcan_dellink()'
Date: Fri, 24 Apr 2026 20:30:51 +0200	[thread overview]
Message-ID: <f7db8780-dec9-49ed-9a6c-b679fa1dc311@hartkopp.net> (raw)
In-Reply-To: <CAGp+u1ZUNzJaiGNBrOoHARe9zZ=UNgpBYmmgTTtgywgq6tf8VA@mail.gmail.com>

Hello Ginger,

On 24.04.26 17:24, Ginger wrote:
> Dear Linux kernel maintainers,
> 
> My research-based static analyzer found a potential order bug within
> the ' drivers/net/can' subsystem, more specifically, in '
> drivers/net/can/vxcan.c'.
> 
> Kernel version: long-term kernel v6.18.9
> 
> Potential issue:
> T0:
> vxcan_dellink
>      --> RCU_INIT_POINTER(priv->peer, NULL);
>      --> unregister_netdevice_queue(dev, head);
> 
> In T0, the priv->peer field is nullified before the device is
> unregistered from the kernel in 'unregister_netdevice_queue()'.
> Considering that many other kernel functions rely on the existence of
> the netdev and dereferences 'priv->peer', e.g., vxcan_open() and
> vxcan_xmit(), it is possible to cause null pointer deref in concurrent
> executions.
> 

The code in

https://elixir.bootlin.com/linux/v7.0.1/source/drivers/net/can/vxcan.c#L282

is copied from

https://elixir.bootlin.com/linux/v7.0.1/source/drivers/net/veth.c#L1931

which contains the following comment:

	/* Note : dellink() is called from default_device_exit_batch(),
	 * before a rcu_synchronize() point. The devices are guaranteed
	 * not being freed before one RCU grace period.
	 */
	RCU_INIT_POINTER(priv->peer, NULL);
	unregister_netdevice_queue(dev, head);

So I'm pretty sure this case is addressed.

Best regards,
Oliver

     prev parent reply	other threads:[~2026-04-24 18:31 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-24 15:24 [bug report] Potential order bug in 'drivers/net/can/vxcan.c', primarily in 'vxcan_dellink()' Ginger
2026-04-24 18:30 ` Oliver Hartkopp [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f7db8780-dec9-49ed-9a6c-b679fa1dc311@hartkopp.net \
    --to=socketcan@hartkopp.net \
    --cc=ginger.jzllee@gmail.com \
    --cc=linux-can@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mkl@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox