* [bug report] Potential order bug in 'drivers/net/can/vxcan.c', primarily in 'vxcan_dellink()'
@ 2026-04-24 15:24 Ginger
2026-04-24 18:30 ` Oliver Hartkopp
0 siblings, 1 reply; 2+ messages in thread
From: Ginger @ 2026-04-24 15:24 UTC (permalink / raw)
To: mkl; +Cc: linux-can, linux-kernel
Dear Linux kernel maintainers,
My research-based static analyzer found a potential order bug within
the ' drivers/net/can' subsystem, more specifically, in '
drivers/net/can/vxcan.c'.
Kernel version: long-term kernel v6.18.9
Potential issue:
T0:
vxcan_dellink
--> RCU_INIT_POINTER(priv->peer, NULL);
--> unregister_netdevice_queue(dev, head);
In T0, the priv->peer field is nullified before the device is
unregistered from the kernel in 'unregister_netdevice_queue()'.
Considering that many other kernel functions rely on the existence of
the netdev and dereferences 'priv->peer', e.g., vxcan_open() and
vxcan_xmit(), it is possible to cause null pointer deref in concurrent
executions.
Thank you for your time and consideration.
Sincerely,
Ginger
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [bug report] Potential order bug in 'drivers/net/can/vxcan.c', primarily in 'vxcan_dellink()'
2026-04-24 15:24 [bug report] Potential order bug in 'drivers/net/can/vxcan.c', primarily in 'vxcan_dellink()' Ginger
@ 2026-04-24 18:30 ` Oliver Hartkopp
0 siblings, 0 replies; 2+ messages in thread
From: Oliver Hartkopp @ 2026-04-24 18:30 UTC (permalink / raw)
To: Ginger, mkl; +Cc: linux-can, linux-kernel
Hello Ginger,
On 24.04.26 17:24, Ginger wrote:
> Dear Linux kernel maintainers,
>
> My research-based static analyzer found a potential order bug within
> the ' drivers/net/can' subsystem, more specifically, in '
> drivers/net/can/vxcan.c'.
>
> Kernel version: long-term kernel v6.18.9
>
> Potential issue:
> T0:
> vxcan_dellink
> --> RCU_INIT_POINTER(priv->peer, NULL);
> --> unregister_netdevice_queue(dev, head);
>
> In T0, the priv->peer field is nullified before the device is
> unregistered from the kernel in 'unregister_netdevice_queue()'.
> Considering that many other kernel functions rely on the existence of
> the netdev and dereferences 'priv->peer', e.g., vxcan_open() and
> vxcan_xmit(), it is possible to cause null pointer deref in concurrent
> executions.
>
The code in
https://elixir.bootlin.com/linux/v7.0.1/source/drivers/net/can/vxcan.c#L282
is copied from
https://elixir.bootlin.com/linux/v7.0.1/source/drivers/net/veth.c#L1931
which contains the following comment:
/* Note : dellink() is called from default_device_exit_batch(),
* before a rcu_synchronize() point. The devices are guaranteed
* not being freed before one RCU grace period.
*/
RCU_INIT_POINTER(priv->peer, NULL);
unregister_netdevice_queue(dev, head);
So I'm pretty sure this case is addressed.
Best regards,
Oliver
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-24 18:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-24 15:24 [bug report] Potential order bug in 'drivers/net/can/vxcan.c', primarily in 'vxcan_dellink()' Ginger
2026-04-24 18:30 ` Oliver Hartkopp
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox