From: Vincent Mailhol <mailhol@kernel.org>
To: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: syzbot@lists.linux.dev, syzkaller-bugs@googlegroups.com,
syzbot ci <syzbot+ci284feacb80736eb0@syzkaller.appspotmail.com>,
biju.das.jz@bp.renesas.com, davem@davemloft.net, geert@glider.be,
kernel@pengutronix.de, kuba@kernel.org,
linux-can@vger.kernel.org, mkl@pengutronix.de,
netdev@vger.kernel.org, stefan.maetje@esd.eu,
stephane.grosjean@hms-networks.com, zhao.xichao@vivo.com
Subject: Re: [syzbot ci] Re: pull-request: can-next 2025-09-24
Date: Wed, 24 Sep 2025 22:31:28 +0900 [thread overview]
Message-ID: <651d24b9-fe26-4e6f-a144-22c5997eeafb@kernel.org> (raw)
In-Reply-To: <c952c748-4ae7-4ab9-8fd0-3e284a017273@hartkopp.net>
On 24/09/2025 at 22:18, Oliver Hartkopp wrote:
> Hello Vincent,
>
> On 24.09.25 14:40, syzbot ci wrote:
>> syzbot ci has tested the following series
>>
>> [v1] pull-request: can-next 2025-09-24
>> https://lore.kernel.org/all/20250924082104.595459-1-mkl@pengutronix.de
>> * [PATCH net-next 01/48] can: m_can: use us_to_ktime() where appropriate
>> * [PATCH net-next 02/48] MAINTAINERS: update Vincent Mailhol's email address
>> * [PATCH net-next 03/48] can: dev: sort includes by alphabetical order
>> * [PATCH net-next 04/48] can: peak: Modification of references to email
>> accounts being deleted
>> * [PATCH net-next 05/48] can: rcar_canfd: Update bit rate constants for RZ/G3E
>> and R-Car Gen4
>> * [PATCH net-next 06/48] can: rcar_canfd: Update RCANFD_CFG_* macros
>> * [PATCH net-next 07/48] can: rcar_canfd: Simplify nominal bit rate config
>> * [PATCH net-next 08/48] can: rcar_canfd: Simplify data bit rate config
>> * [PATCH net-next 09/48] can: rcar_can: Consistently use ndev for net_device
>> pointers
>> * [PATCH net-next 10/48] can: rcar_can: Add helper variable dev to
>> rcar_can_probe()
>> * [PATCH net-next 11/48] can: rcar_can: Convert to Runtime PM
>> * [PATCH net-next 12/48] can: rcar_can: Convert to BIT()
>> * [PATCH net-next 13/48] can: rcar_can: Convert to GENMASK()
>> * [PATCH net-next 14/48] can: rcar_can: CTLR bitfield conversion
>> * [PATCH net-next 15/48] can: rcar_can: TFCR bitfield conversion
>> * [PATCH net-next 16/48] can: rcar_can: BCR bitfield conversion
>> * [PATCH net-next 17/48] can: rcar_can: Mailbox bitfield conversion
>> * [PATCH net-next 18/48] can: rcar_can: Do not print alloc_candev() failures
>> * [PATCH net-next 19/48] can: rcar_can: Convert to %pe
>> * [PATCH net-next 20/48] can: esd_usb: Rework display of error messages
>> * [PATCH net-next 21/48] can: esd_usb: Avoid errors triggered from USB disconnect
>> * [PATCH net-next 22/48] can: raw: reorder struct uniqframe's members to
>> optimise packing
>> * [PATCH net-next 23/48] can: raw: use bitfields to store flags in struct
>> raw_sock
>> * [PATCH net-next 24/48] can: raw: reorder struct raw_sock's members to
>> optimise packing
>> * [PATCH net-next 25/48] can: annotate mtu accesses with READ_ONCE()
>> * [PATCH net-next 26/48] can: dev: turn can_set_static_ctrlmode() into a non-
>> inline function
>> * [PATCH net-next 27/48] can: populate the minimum and maximum MTU values
>> * [PATCH net-next 28/48] can: enable CAN XL for virtual CAN devices by default
>> * [PATCH net-next 29/48] can: dev: move struct data_bittiming_params to linux/
>> can/bittiming.h
>> * [PATCH net-next 30/48] can: dev: make can_get_relative_tdco() FD agnostic
>> and move it to bittiming.h
>> * [PATCH net-next 31/48] can: netlink: document which symbols are FD specific
>> * [PATCH net-next 32/48] can: netlink: refactor can_validate_bittiming()
>> * [PATCH net-next 33/48] can: netlink: add can_validate_tdc()
>> * [PATCH net-next 34/48] can: netlink: add can_validate_databittiming()
>> * [PATCH net-next 35/48] can: netlink: refactor CAN_CTRLMODE_TDC_{AUTO,MANUAL}
>> flag reset logic
>> * [PATCH net-next 36/48] can: netlink: remove useless check in
>> can_tdc_changelink()
>> * [PATCH net-next 37/48] can: netlink: make can_tdc_changelink() FD agnostic
>> * [PATCH net-next 38/48] can: netlink: add can_dtb_changelink()
>> * [PATCH net-next 39/48] can: netlink: add can_ctrlmode_changelink()
>> * [PATCH net-next 40/48] can: netlink: make can_tdc_get_size() FD agnostic
>> * [PATCH net-next 41/48] can: netlink: add can_data_bittiming_get_size()
>> * [PATCH net-next 42/48] can: netlink: add can_bittiming_fill_info()
>> * [PATCH net-next 43/48] can: netlink: add can_bittiming_const_fill_info()
>> * [PATCH net-next 44/48] can: netlink: add can_bitrate_const_fill_info()
>> * [PATCH net-next 45/48] can: netlink: make can_tdc_fill_info() FD agnostic
>> * [PATCH net-next 46/48] can: calc_bittiming: make can_calc_tdco() FD agnostic
>> * [PATCH net-next 47/48] can: dev: add can_get_ctrlmode_str()
>> * [PATCH net-next 48/48] can: netlink: add userland error messages
>>
>> and found the following issue:
>> KASAN: slab-out-of-bounds Read in can_setup
>>
>> Full report is available here:
>> https://ci.syzbot.org/series/7feff13b-7247-438c-9d92-b8e9fda977c7
>>
>> ***
>>
>> KASAN: slab-out-of-bounds Read in can_setup
>>
>> tree: net-next
>> URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/netdev/
>> net-next.git
>> base: 315f423be0d1ebe720d8fd4fa6bed68586b13d34
>> arch: amd64
>> compiler: Debian clang version 20.1.8 (+
>> +20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
>> config: https://ci.syzbot.org/builds/08331a39-4a31-4f96-a377-3125df2af883/
>> config
>> C repro: https://ci.syzbot.org/findings/46cae752-cb54-4ceb-87cb-
>> bb9d2fdb1d79/c_repro
>> syz repro: https://ci.syzbot.org/findings/46cae752-cb54-4ceb-87cb-
>> bb9d2fdb1d79/syz_repro
>>
>> netlink: 24 bytes leftover after parsing attributes in process `syz.0.17'.
>> ==================================================================
>> BUG: KASAN: slab-out-of-bounds in can_set_default_mtu drivers/net/can/dev/
>> dev.c:350 [inline]
>> BUG: KASAN: slab-out-of-bounds in can_setup+0x209/0x280 drivers/net/can/dev/
>> dev.c:279
>> Read of size 4 at addr ffff888106a6ee74 by task syz.0.17/5999
>>
>> CPU: 1 UID: 0 PID: 5999 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
>> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-
>> debian-1.16.2-1 04/01/2014
>> Call Trace:
>> <TASK>
>> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
>> print_address_description mm/kasan/report.c:378 [inline]
>> print_report+0xca/0x240 mm/kasan/report.c:482
>> kasan_report+0x118/0x150 mm/kasan/report.c:595
>> can_set_default_mtu drivers/net/can/dev/dev.c:350 [inline]
>
> When can_set_default_mtu() is called from the netlink config context it is also
> used for virtual CAN interfaces (which was created by syzbot here), where the
> priv pointer is not valid.
Ack. I am pretty sure that I tested it on the virtual interfaces, but I did not
have KASAN activated. So I did not notice the problem.
> Please use
>
> struct can_priv *priv = safe_candev_priv(dev);
>
> to detect virtual CAN interfaces too.
Exactly! I am reaching the same conclusion.
Right now, I am testing this patch:
diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c
index e5a82aa77958..1a309ae4850d 100644
--- a/drivers/net/can/dev/dev.c
+++ b/drivers/net/can/dev/dev.c
@@ -345,9 +345,9 @@ EXPORT_SYMBOL_GPL(free_candev);
void can_set_default_mtu(struct net_device *dev)
{
- struct can_priv *priv = netdev_priv(dev);
+ struct can_priv *priv = safe_candev_priv(dev);
- if (priv->ctrlmode & CAN_CTRLMODE_FD) {
+ if (priv && (priv->ctrlmode & CAN_CTRLMODE_FD)) {
dev->mtu = CANFD_MTU;
dev->min_mtu = CANFD_MTU;
dev->max_mtu = CANFD_MTU;
It is compiling rigth now. Another potential fix could also be:
diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c
index e5a82aa77958..66c7a9eee7dd 100644
--- a/drivers/net/can/dev/dev.c
+++ b/drivers/net/can/dev/dev.c
@@ -273,11 +273,12 @@ void can_setup(struct net_device *dev)
{
dev->type = ARPHRD_CAN;
dev->hard_header_len = 0;
+ dev->mtu = CAN_MTU;
+ dev->min_mtu = CAN_MTU;
+ dev->max_mtu = CAN_MTU;
dev->addr_len = 0;
dev->tx_queue_len = 10;
- can_set_default_mtu(dev);
-
/* New-style flags. */
dev->flags = IFF_NOARP;
dev->features = NETIF_F_HW_CSUM;
@Marc, once I finish testing, can I just send you a diff patch and ask to squash
it in:
[PATCH net-next 27/48] can: populate the minimum and maximum MTU values
?
Yours sincerely,
Vincent Mailhol
next prev parent reply other threads:[~2025-09-24 13:31 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-24 8:06 [PATCH net-next 0/48] pull-request: can-next 2025-09-24 Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 01/48] can: m_can: use us_to_ktime() where appropriate Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 02/48] MAINTAINERS: update Vincent Mailhol's email address Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 03/48] can: dev: sort includes by alphabetical order Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 04/48] can: peak: Modification of references to email accounts being deleted Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 05/48] can: rcar_canfd: Update bit rate constants for RZ/G3E and R-Car Gen4 Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 06/48] can: rcar_canfd: Update RCANFD_CFG_* macros Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 07/48] can: rcar_canfd: Simplify nominal bit rate config Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 08/48] can: rcar_canfd: Simplify data " Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 09/48] can: rcar_can: Consistently use ndev for net_device pointers Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 10/48] can: rcar_can: Add helper variable dev to rcar_can_probe() Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 11/48] can: rcar_can: Convert to Runtime PM Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 12/48] can: rcar_can: Convert to BIT() Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 13/48] can: rcar_can: Convert to GENMASK() Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 14/48] can: rcar_can: CTLR bitfield conversion Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 15/48] can: rcar_can: TFCR " Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 16/48] can: rcar_can: BCR " Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 17/48] can: rcar_can: Mailbox " Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 18/48] can: rcar_can: Do not print alloc_candev() failures Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 19/48] can: rcar_can: Convert to %pe Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 20/48] can: esd_usb: Rework display of error messages Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 21/48] can: esd_usb: Avoid errors triggered from USB disconnect Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 22/48] can: raw: reorder struct uniqframe's members to optimise packing Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 23/48] can: raw: use bitfields to store flags in struct raw_sock Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 24/48] can: raw: reorder struct raw_sock's members to optimise packing Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 25/48] can: annotate mtu accesses with READ_ONCE() Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 26/48] can: dev: turn can_set_static_ctrlmode() into a non-inline function Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 27/48] can: populate the minimum and maximum MTU values Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 28/48] can: enable CAN XL for virtual CAN devices by default Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 29/48] can: dev: move struct data_bittiming_params to linux/can/bittiming.h Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 30/48] can: dev: make can_get_relative_tdco() FD agnostic and move it to bittiming.h Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 31/48] can: netlink: document which symbols are FD specific Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 32/48] can: netlink: refactor can_validate_bittiming() Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 33/48] can: netlink: add can_validate_tdc() Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 34/48] can: netlink: add can_validate_databittiming() Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 35/48] can: netlink: refactor CAN_CTRLMODE_TDC_{AUTO,MANUAL} flag reset logic Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 36/48] can: netlink: remove useless check in can_tdc_changelink() Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 37/48] can: netlink: make can_tdc_changelink() FD agnostic Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 38/48] can: netlink: add can_dtb_changelink() Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 39/48] can: netlink: add can_ctrlmode_changelink() Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 40/48] can: netlink: make can_tdc_get_size() FD agnostic Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 41/48] can: netlink: add can_data_bittiming_get_size() Marc Kleine-Budde
2025-09-24 8:06 ` [PATCH net-next 42/48] can: netlink: add can_bittiming_fill_info() Marc Kleine-Budde
2025-09-24 8:07 ` [PATCH net-next 43/48] can: netlink: add can_bittiming_const_fill_info() Marc Kleine-Budde
2025-09-24 8:07 ` [PATCH net-next 44/48] can: netlink: add can_bitrate_const_fill_info() Marc Kleine-Budde
2025-09-24 8:07 ` [PATCH net-next 45/48] can: netlink: make can_tdc_fill_info() FD agnostic Marc Kleine-Budde
2025-09-24 8:07 ` [PATCH net-next 46/48] can: calc_bittiming: make can_calc_tdco() " Marc Kleine-Budde
2025-09-24 8:07 ` [PATCH net-next 47/48] can: dev: add can_get_ctrlmode_str() Marc Kleine-Budde
2025-09-24 8:07 ` [PATCH net-next 48/48] can: netlink: add userland error messages Marc Kleine-Budde
2025-09-24 12:40 ` [syzbot ci] Re: pull-request: can-next 2025-09-24 syzbot ci
2025-09-24 13:18 ` Oliver Hartkopp
2025-09-24 13:31 ` Vincent Mailhol [this message]
2025-09-24 13:38 ` Marc Kleine-Budde
2025-09-24 13:38 ` Oliver Hartkopp
2025-09-24 14:14 ` Vincent Mailhol
2025-09-24 14:35 ` [PATCH] can: dev: fix out-of-bound read in can_set_default_mtu() Vincent Mailhol
2025-09-24 15:13 ` Marc Kleine-Budde
2025-09-24 15:21 ` Vincent Mailhol
2025-09-25 12:18 ` [PATCH net-next 0/48] pull-request: can-next 2025-09-24 Marc Kleine-Budde
2025-09-25 12:53 ` Stefan Mätje
2025-09-25 12:53 ` Marc Kleine-Budde
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=651d24b9-fe26-4e6f-a144-22c5997eeafb@kernel.org \
--to=mailhol@kernel.org \
--cc=biju.das.jz@bp.renesas.com \
--cc=davem@davemloft.net \
--cc=geert@glider.be \
--cc=kernel@pengutronix.de \
--cc=kuba@kernel.org \
--cc=linux-can@vger.kernel.org \
--cc=mkl@pengutronix.de \
--cc=netdev@vger.kernel.org \
--cc=socketcan@hartkopp.net \
--cc=stefan.maetje@esd.eu \
--cc=stephane.grosjean@hms-networks.com \
--cc=syzbot+ci284feacb80736eb0@syzkaller.appspotmail.com \
--cc=syzbot@lists.linux.dev \
--cc=syzkaller-bugs@googlegroups.com \
--cc=zhao.xichao@vivo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).