* [PATCH net 0/1] pull-request: can 2025-07-22
@ 2025-07-22 10:58 Marc Kleine-Budde
2025-07-22 10:58 ` [PATCH net] can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Marc Kleine-Budde
0 siblings, 1 reply; 3+ messages in thread
From: Marc Kleine-Budde @ 2025-07-22 10:58 UTC (permalink / raw)
To: netdev; +Cc: davem, kuba, linux-can, kernel
Hello netdev-team,
this is a pull request of 1 patch for net/main.
The patch is by me and fixes a potential NULL pointer deref in the CAN
device driver infrastructure. It can be triggered from user space.
regards,
Marc
---
The following changes since commit b03f15c0192b184078206760c839054ae6eb4eaa:
gve: Fix stuck TX queue for DQ queue format (2025-07-21 17:14:12 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can.git tags/linux-can-fixes-for-6.16-20250722
for you to fetch changes up to c1f3f9797c1f44a762e6f5f72520b2e520537b52:
can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode (2025-07-22 12:55:13 +0200)
----------------------------------------------------------------
linux-can-fixes-for-6.16-20250722
----------------------------------------------------------------
Marc Kleine-Budde (1):
can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode
drivers/net/can/dev/dev.c | 12 +++++++++---
drivers/net/can/dev/netlink.c | 12 ++++++++++++
2 files changed, 21 insertions(+), 3 deletions(-)
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH net] can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode
2025-07-22 10:58 [PATCH net 0/1] pull-request: can 2025-07-22 Marc Kleine-Budde
@ 2025-07-22 10:58 ` Marc Kleine-Budde
2025-07-23 1:50 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 3+ messages in thread
From: Marc Kleine-Budde @ 2025-07-22 10:58 UTC (permalink / raw)
To: netdev; +Cc: davem, kuba, linux-can, kernel, Marc Kleine-Budde, Andrei Lalaev
Andrei Lalaev reported a NULL pointer deref when a CAN device is
restarted from Bus Off and the driver does not implement the struct
can_priv::do_set_mode callback.
There are 2 code path that call struct can_priv::do_set_mode:
- directly by a manual restart from the user space, via
can_changelink()
- delayed automatic restart after bus off (deactivated by default)
To prevent the NULL pointer deference, refuse a manual restart or
configure the automatic restart delay in can_changelink() and report
the error via extack to user space.
As an additional safety measure let can_restart() return an error if
can_priv::do_set_mode is not set instead of dereferencing it
unchecked.
Reported-by: Andrei Lalaev <andrey.lalaev@gmail.com>
Closes: https://lore.kernel.org/all/20250714175520.307467-1-andrey.lalaev@gmail.com
Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
Link: https://patch.msgid.link/20250718-fix-nullptr-deref-do_set_mode-v1-1-0b520097bb96@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/dev/dev.c | 12 +++++++++---
drivers/net/can/dev/netlink.c | 12 ++++++++++++
2 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c
index ea8c807af4d8..3913971125de 100644
--- a/drivers/net/can/dev/dev.c
+++ b/drivers/net/can/dev/dev.c
@@ -145,13 +145,16 @@ void can_change_state(struct net_device *dev, struct can_frame *cf,
EXPORT_SYMBOL_GPL(can_change_state);
/* CAN device restart for bus-off recovery */
-static void can_restart(struct net_device *dev)
+static int can_restart(struct net_device *dev)
{
struct can_priv *priv = netdev_priv(dev);
struct sk_buff *skb;
struct can_frame *cf;
int err;
+ if (!priv->do_set_mode)
+ return -EOPNOTSUPP;
+
if (netif_carrier_ok(dev))
netdev_err(dev, "Attempt to restart for bus-off recovery, but carrier is OK?\n");
@@ -173,10 +176,14 @@ static void can_restart(struct net_device *dev)
if (err) {
netdev_err(dev, "Restart failed, error %pe\n", ERR_PTR(err));
netif_carrier_off(dev);
+
+ return err;
} else {
netdev_dbg(dev, "Restarted\n");
priv->can_stats.restarts++;
}
+
+ return 0;
}
static void can_restart_work(struct work_struct *work)
@@ -201,9 +208,8 @@ int can_restart_now(struct net_device *dev)
return -EBUSY;
cancel_delayed_work_sync(&priv->restart_work);
- can_restart(dev);
- return 0;
+ return can_restart(dev);
}
/* CAN bus-off
diff --git a/drivers/net/can/dev/netlink.c b/drivers/net/can/dev/netlink.c
index a36842ace084..f0e3f0d538fb 100644
--- a/drivers/net/can/dev/netlink.c
+++ b/drivers/net/can/dev/netlink.c
@@ -285,6 +285,12 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[],
}
if (data[IFLA_CAN_RESTART_MS]) {
+ if (!priv->do_set_mode) {
+ NL_SET_ERR_MSG(extack,
+ "Device doesn't support restart from Bus Off");
+ return -EOPNOTSUPP;
+ }
+
/* Do not allow changing restart delay while running */
if (dev->flags & IFF_UP)
return -EBUSY;
@@ -292,6 +298,12 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[],
}
if (data[IFLA_CAN_RESTART]) {
+ if (!priv->do_set_mode) {
+ NL_SET_ERR_MSG(extack,
+ "Device doesn't support restart from Bus Off");
+ return -EOPNOTSUPP;
+ }
+
/* Do not allow a restart while not running */
if (!(dev->flags & IFF_UP))
return -EINVAL;
base-commit: b03f15c0192b184078206760c839054ae6eb4eaa
--
2.47.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode
2025-07-22 10:58 ` [PATCH net] can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Marc Kleine-Budde
@ 2025-07-23 1:50 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-07-23 1:50 UTC (permalink / raw)
To: Marc Kleine-Budde; +Cc: netdev, davem, kuba, linux-can, kernel, andrey.lalaev
Hello:
This patch was applied to netdev/net.git (main)
by Marc Kleine-Budde <mkl@pengutronix.de>:
On Tue, 22 Jul 2025 12:58:32 +0200 you wrote:
> Andrei Lalaev reported a NULL pointer deref when a CAN device is
> restarted from Bus Off and the driver does not implement the struct
> can_priv::do_set_mode callback.
>
> There are 2 code path that call struct can_priv::do_set_mode:
> - directly by a manual restart from the user space, via
> can_changelink()
> - delayed automatic restart after bus off (deactivated by default)
>
> [...]
Here is the summary with links:
- [net] can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode
https://git.kernel.org/netdev/net/c/c1f3f9797c1f
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-07-23 1:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-22 10:58 [PATCH net 0/1] pull-request: can 2025-07-22 Marc Kleine-Budde
2025-07-22 10:58 ` [PATCH net] can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Marc Kleine-Budde
2025-07-23 1:50 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).