Commit 67e9d0b4 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'linux-can-fixes-for-6.16-20250722' of... 

Merge tag 'linux-can-fixes-for-6.16-20250722' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2025-07-22

The patch is by me and fixes a potential NULL pointer deref in the CAN
device driver infrastructure. It can be triggered from user space.

* tag 'linux-can-fixes-for-6.16-20250722' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
  can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode
====================

Link: https://patch.msgid.link/20250722110059.3664104-1-mkl@pengutronix.de


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents dca56cc8 c1f3f979

drivers/net/can/dev/dev.c

+9 −3
Original line number Diff line number Diff line
@@ -145,13 +145,16 @@ void can_change_state(struct net_device *dev, struct can_frame *cf, 
EXPORT_SYMBOL_GPL(can_change_state);



/* CAN device restart for bus-off recovery */

static void can_restart(struct net_device *dev)

static int can_restart(struct net_device *dev)

{

	struct can_priv *priv = netdev_priv(dev);

	struct sk_buff *skb;

	struct can_frame *cf;

	int err;



	if (!priv->do_set_mode)

		return -EOPNOTSUPP;



	if (netif_carrier_ok(dev))

		netdev_err(dev, "Attempt to restart for bus-off recovery, but carrier is OK?\n");
@@ -173,10 +176,14 @@ static void can_restart(struct net_device *dev) 
	if (err) {

		netdev_err(dev, "Restart failed, error %pe\n", ERR_PTR(err));

		netif_carrier_off(dev);



		return err;

	} else {

		netdev_dbg(dev, "Restarted\n");

		priv->can_stats.restarts++;

	}



	return 0;

}



static void can_restart_work(struct work_struct *work)
@@ -201,9 +208,8 @@ int can_restart_now(struct net_device *dev) 
		return -EBUSY;



	cancel_delayed_work_sync(&priv->restart_work);

	can_restart(dev);



	return 0;

	return can_restart(dev);

}



/* CAN bus-off

drivers/net/can/dev/netlink.c

+12 −0
Original line number Diff line number Diff line
@@ -285,6 +285,12 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[], 
	}



	if (data[IFLA_CAN_RESTART_MS]) {

		if (!priv->do_set_mode) {

			NL_SET_ERR_MSG(extack,

				       "Device doesn't support restart from Bus Off");

			return -EOPNOTSUPP;

		}



		/* Do not allow changing restart delay while running */

		if (dev->flags & IFF_UP)

			return -EBUSY;
@@ -292,6 +298,12 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[], 
	}



	if (data[IFLA_CAN_RESTART]) {

		if (!priv->do_set_mode) {

			NL_SET_ERR_MSG(extack,

				       "Device doesn't support restart from Bus Off");

			return -EOPNOTSUPP;

		}



		/* Do not allow a restart while not running */

		if (!(dev->flags & IFF_UP))

			return -EINVAL;