From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Andrei Lalaev <andrey.lalaev@gmail.com>,
Marc Kleine-Budde <mkl@pengutronix.de>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.15 34/92] can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode
Date: Wed, 30 Jul 2025 11:35:42 +0200 [thread overview]
Message-ID: <20250730093232.073342189@linuxfoundation.org> (raw)
In-Reply-To: <20250730093230.629234025@linuxfoundation.org>
6.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit c1f3f9797c1f44a762e6f5f72520b2e520537b52 ]
Andrei Lalaev reported a NULL pointer deref when a CAN device is
restarted from Bus Off and the driver does not implement the struct
can_priv::do_set_mode callback.
There are 2 code path that call struct can_priv::do_set_mode:
- directly by a manual restart from the user space, via
can_changelink()
- delayed automatic restart after bus off (deactivated by default)
To prevent the NULL pointer deference, refuse a manual restart or
configure the automatic restart delay in can_changelink() and report
the error via extack to user space.
As an additional safety measure let can_restart() return an error if
can_priv::do_set_mode is not set instead of dereferencing it
unchecked.
Reported-by: Andrei Lalaev <andrey.lalaev@gmail.com>
Closes: https://lore.kernel.org/all/20250714175520.307467-1-andrey.lalaev@gmail.com
Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
Link: https://patch.msgid.link/20250718-fix-nullptr-deref-do_set_mode-v1-1-0b520097bb96@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/dev/dev.c | 12 +++++++++---
drivers/net/can/dev/netlink.c | 12 ++++++++++++
2 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c
index 5ec3170b896a4..3fa805ac2c65b 100644
--- a/drivers/net/can/dev/dev.c
+++ b/drivers/net/can/dev/dev.c
@@ -145,13 +145,16 @@ void can_change_state(struct net_device *dev, struct can_frame *cf,
EXPORT_SYMBOL_GPL(can_change_state);
/* CAN device restart for bus-off recovery */
-static void can_restart(struct net_device *dev)
+static int can_restart(struct net_device *dev)
{
struct can_priv *priv = netdev_priv(dev);
struct sk_buff *skb;
struct can_frame *cf;
int err;
+ if (!priv->do_set_mode)
+ return -EOPNOTSUPP;
+
if (netif_carrier_ok(dev))
netdev_err(dev, "Attempt to restart for bus-off recovery, but carrier is OK?\n");
@@ -173,10 +176,14 @@ static void can_restart(struct net_device *dev)
if (err) {
netdev_err(dev, "Restart failed, error %pe\n", ERR_PTR(err));
netif_carrier_off(dev);
+
+ return err;
} else {
netdev_dbg(dev, "Restarted\n");
priv->can_stats.restarts++;
}
+
+ return 0;
}
static void can_restart_work(struct work_struct *work)
@@ -201,9 +208,8 @@ int can_restart_now(struct net_device *dev)
return -EBUSY;
cancel_delayed_work_sync(&priv->restart_work);
- can_restart(dev);
- return 0;
+ return can_restart(dev);
}
/* CAN bus-off
diff --git a/drivers/net/can/dev/netlink.c b/drivers/net/can/dev/netlink.c
index f1db9b7ffd4d0..d5aa8da87961e 100644
--- a/drivers/net/can/dev/netlink.c
+++ b/drivers/net/can/dev/netlink.c
@@ -285,6 +285,12 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[],
}
if (data[IFLA_CAN_RESTART_MS]) {
+ if (!priv->do_set_mode) {
+ NL_SET_ERR_MSG(extack,
+ "Device doesn't support restart from Bus Off");
+ return -EOPNOTSUPP;
+ }
+
/* Do not allow changing restart delay while running */
if (dev->flags & IFF_UP)
return -EBUSY;
@@ -292,6 +298,12 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[],
}
if (data[IFLA_CAN_RESTART]) {
+ if (!priv->do_set_mode) {
+ NL_SET_ERR_MSG(extack,
+ "Device doesn't support restart from Bus Off");
+ return -EOPNOTSUPP;
+ }
+
/* Do not allow a restart while not running */
if (!(dev->flags & IFF_UP))
return -EINVAL;
--
2.39.5
next prev parent reply other threads:[~2025-07-30 9:53 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-30 9:35 [PATCH 6.15 00/92] 6.15.9-rc1 review Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 01/92] x86/traps: Initialize DR7 by writing its architectural reset value Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 02/92] virtio_net: Enforce minimum TX ring size for reliability Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 03/92] virtio_ring: Fix error reporting in virtqueue_resize Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 04/92] drm/amd/display: Dont allow OLED to go down to fully off Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 05/92] regulator: core: fix NULL dereference on unbind due to stale coupling data Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 06/92] platform/x86: asus-nb-wmi: add DMI quirk for ASUS Zenbook Duo UX8406CA Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 07/92] RDMA/core: Rate limit GID cache warning messages Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 08/92] iio: fix potential out-of-bound write Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 09/92] interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 10/92] interconnect: icc-clk: destroy nodes in case of memory allocation failures Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 11/92] iio: adc: ad7949: use spi_is_bpw_supported() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 12/92] regmap: fix potential memory leak of regmap_bus Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 13/92] platform/mellanox: mlxbf-pmc: Remove newline char from event name input Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 14/92] platform/mellanox: mlxbf-pmc: Validate event/enable input Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 15/92] platform/mellanox: mlxbf-pmc: Use kstrtobool() to check 0/1 input Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 16/92] tools/hv: fcopy: Fix incorrect file path conversion Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 17/92] x86/hyperv: Fix usage of cpu_online_mask to get valid cpu Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 18/92] platform/x86: Fix initialization order for firmware_attributes_class Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 19/92] staging: vchiq_arm: Make vchiq_shutdown never fail Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 20/92] xfrm: state: initialize state_ptrs earlier in xfrm_state_find Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 21/92] xfrm: state: use a consistent pcpu_id " Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 22/92] xfrm: always initialize offload path Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 23/92] xfrm: Set transport header to fix UDP GRO handling Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 24/92] xfrm: ipcomp: adjust transport header after decompressing Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 25/92] xfrm: interface: fix use-after-free after changing collect_md xfrm interface Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 26/92] ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 27/92] net: ti: icssg-prueth: Fix buffer allocation for ICSSG Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 28/92] net/mlx5: Fix memory leak in cmd_exec() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 29/92] net/mlx5: E-Switch, Fix peer miss rules to use peer eswitch Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 30/92] i40e: report VF tx_dropped with tx_errors instead of tx_discards Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 31/92] i40e: When removing VF MAC filters, only check PF-set MAC Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 32/92] net: appletalk: Fix use-after-free in AARP proxy probe Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 33/92] net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class Greg Kroah-Hartman
2025-07-30 9:35 ` Greg Kroah-Hartman [this message]
2025-07-30 9:35 ` [PATCH 6.15 35/92] drm/bridge: ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 36/92] ALSA: hda/realtek: Fix mute LED mask on HP OMEN 16 laptop Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 37/92] selftests: drv-net: wait for iperf client to stop sending Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 38/92] s390/ism: fix concurrency management in ism_cmd() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 39/92] net: hns3: fix concurrent setting vlan filter issue Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 40/92] net: hns3: disable interrupt when ptp init failed Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 41/92] net: hns3: fixed vf get max channels bug Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 42/92] net: hns3: default enable tx bounce buffer when smmu enabled Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 43/92] platform/x86: alienware-wmi-wmax: Fix `dmi_system_id` array Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 44/92] platform/x86: ideapad-laptop: Fix FnLock not remembered among boots Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 45/92] platform/x86: ideapad-laptop: Fix kbd backlight " Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 46/92] drm/i915/dp: Fix 2.7 Gbps DP_LINK_BW value on g4x Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 47/92] Revert "drm/prime: Use dma_buf from GEM object instance" Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 48/92] Revert "drm/gem-framebuffer: " Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 49/92] Revert "drm/gem-dma: " Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 50/92] drm/amdgpu: Reset the clear flag in buddy during resume Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.15 51/92] drm/sched: Remove optimization that causes hang when killing dependent jobs Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 52/92] mm/ksm: fix -Wsometimes-uninitialized from clang-21 in advisor_mode_show() Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 53/92] ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 54/92] ARM: 9450/1: Fix allowing linker DCE with binutils < 2.36 Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 55/92] timekeeping: Zero initialize system_counterval when querying time from phc drivers Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 56/92] i2c: qup: jump out of the loop in case of timeout Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 57/92] i2c: tegra: Fix reset error handling with ACPI Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 58/92] i2c: virtio: Avoid hang by using interruptible completion wait Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 59/92] bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 60/92] sprintf.h requires stdarg.h Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 61/92] ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 62/92] ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa0xxx Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 63/92] arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 64/92] ASoC: mediatek: common: fix device and OF node leak Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 65/92] dpaa2-eth: Fix device reference count leak in MAC endpoint handling Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 66/92] dpaa2-switch: " Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 67/92] e1000e: disregard NVM checksum on tgp when valid checksum bit is not set Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 68/92] e1000e: ignore uninitialized checksum word on tgp Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 69/92] gve: Fix stuck TX queue for DQ queue format Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 70/92] ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 71/92] kasan: use vmalloc_dump_obj() for vmalloc error reports Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 72/92] nilfs2: reject invalid file types when reading inodes Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 73/92] PCI/pwrctrl: Create pwrctrl devices only when CONFIG_PCI_PWRCTRL is enabled Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 74/92] resource: fix false warning in __request_region() Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 75/92] selftests: mptcp: connect: also cover alt modes Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 76/92] selftests: mptcp: connect: also cover checksum Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 77/92] selftests/mm: fix split_huge_page_test for folio_split() tests Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 78/92] mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 79/92] mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 80/92] selftests/bpf: Add tests with stack ptr register in conditional jmp Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 81/92] drm/xe: Make WA BB part of LRC BO Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 82/92] drm/amdgpu: Add the new sdma function pointers for amdgpu_sdma.h Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 83/92] drm/amdgpu: Implement SDMA soft reset directly for v5.x Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 84/92] drm/amdgpu: Fix SDMA engine reset with logical instance ID Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 85/92] drm/shmem-helper: Remove obsoleted is_iomem test Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 86/92] Revert "drm/gem-shmem: Use dma_buf from GEM object instance" Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 87/92] usb: typec: tcpm: allow to use sink in accessory mode Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 88/92] usb: typec: tcpm: allow switching to mode accessory to mux properly Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 89/92] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 90/92] spi: cadence-quadspi: fix cleanup of rx_chan on failure paths Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 91/92] ALSA: hda/tegra: Add Tegra264 support Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.15 92/92] ALSA: hda: Add missing NVIDIA HDA codec IDs Greg Kroah-Hartman
2025-07-30 12:35 ` [PATCH 6.15 00/92] 6.15.9-rc1 review Ronald Warsow
2025-07-30 13:09 ` Christian Heusel
2025-07-30 14:09 ` Jon Hunter
2025-07-30 15:29 ` Mark Brown
2025-07-30 16:47 ` Achill Gilgenast
2025-07-30 17:21 ` Brett A C Sheffield
2025-07-30 20:08 ` Peter Schneider
2025-07-30 20:51 ` Shuah Khan
2025-07-31 2:30 ` Justin Forbes
2025-07-31 2:39 ` Takeshi Ogasawara
2025-07-31 8:36 ` Ron Economos
2025-07-31 10:17 ` Naresh Kamboju
2025-07-31 19:00 ` Miguel Ojeda
2025-08-01 1:31 ` Hardik Garg
2025-08-18 22:51 ` [PATCH 6.16 000/570] 6.16.2-rc1 review Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250730093232.073342189@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andrey.lalaev@gmail.com \
--cc=mkl@pengutronix.de \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).