linux-can-fixes-for-6.16-20250722

-----BEGIN PGP SIGNATURE----- iQFHBAABCgAxFiEEn/sM2K9nqF/8FWzzDHRl3/mQkZwFAmh/bnkTHG1rbEBwZW5n dXRyb25peC5kZQAKCRAMdGXf+ZCRnD/YB/4r/iJoSGIOjVdSVXB+EediaB9tkS7k XRODKHkCwfo/QFC6WIl+lFAhTfd09PTjUERJZoUSbNU0oYOSbFR2lhVniBOHobT+ cLq7GGWFWxNdQkba/hzxI1gh/J+/YtYeC36aq54/5ICIcckJ6jHwUi/j8NE9sSBU A6evv7+MtYxhysT5F7ECQ4v1d2ypppBrCHlllaMqEBm/IV9PhG1epe9fstjR3Im7 vDd6c5aDaeAi8xwwlQqYZ6ypLtYLhojMM9IwyQ5QQLxdPgSSbsDNO0/tMloOKCl8 r5ycnBof00FWVxkvF0eMj9MukorXGPGm6clY4wtuTwkjQg4aRTRu7qZF =qCya -----END PGP SIGNATURE----- Merge tag 'linux-can-fixes-for-6.16-20250722' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2025-07-22 The patch is by me and fixes a potential NULL pointer deref in the CAN device driver infrastructure. It can be triggered from user space. * tag 'linux-can-fixes-for-6.16-20250722' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can: can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode ==================== Link: https://patch.msgid.link/20250722110059.3664104-1-mkl@pengutronix.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-28 09:04:39 +02:00 · 2025-07-22 18:39:51 -07:00 · 2025-07-22 18:39:51 -07:00 · 67e9d0b40b
commit 67e9d0b40b
parent dca56cc8b5 c1f3f9797c
2 changed files with 21 additions and 3 deletions
--- a/drivers/net/can/dev/dev.c
+++ b/drivers/net/can/dev/dev.c
@ -145,13 +145,16 @@ void can_change_state(struct net_device *dev, struct can_frame *cf,
 EXPORT_SYMBOL_GPL(can_change_state);

 /* CAN device restart for bus-off recovery */
-static void can_restart(struct net_device *dev)
+static int can_restart(struct net_device *dev)
 {
 	struct can_priv *priv = netdev_priv(dev);
 	struct sk_buff *skb;
 	struct can_frame *cf;
 	int err;

+	if (!priv->do_set_mode)
+		return -EOPNOTSUPP;
+
 	if (netif_carrier_ok(dev))
 		netdev_err(dev, "Attempt to restart for bus-off recovery, but carrier is OK?\n");

@ -173,10 +176,14 @@ static void can_restart(struct net_device *dev)
 	if (err) {
 		netdev_err(dev, "Restart failed, error %pe\n", ERR_PTR(err));
 		netif_carrier_off(dev);
+
+		return err;
 	} else {
 		netdev_dbg(dev, "Restarted\n");
 		priv->can_stats.restarts++;
 	}
+
+	return 0;
 }

 static void can_restart_work(struct work_struct *work)
@ -201,9 +208,8 @@ int can_restart_now(struct net_device *dev)
 		return -EBUSY;

 	cancel_delayed_work_sync(&priv->restart_work);
-	can_restart(dev);

-	return 0;
+	return can_restart(dev);
 }

 /* CAN bus-off
--- a/drivers/net/can/dev/netlink.c
+++ b/drivers/net/can/dev/netlink.c
@ -285,6 +285,12 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[],
 	}

 	if (data[IFLA_CAN_RESTART_MS]) {
+		if (!priv->do_set_mode) {
+			NL_SET_ERR_MSG(extack,
+				       "Device doesn't support restart from Bus Off");
+			return -EOPNOTSUPP;
+		}
+
 		/* Do not allow changing restart delay while running */
 		if (dev->flags & IFF_UP)
 			return -EBUSY;
@ -292,6 +298,12 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[],
 	}

 	if (data[IFLA_CAN_RESTART]) {
+		if (!priv->do_set_mode) {
+			NL_SET_ERR_MSG(extack,
+				       "Device doesn't support restart from Bus Off");
+			return -EOPNOTSUPP;
+		}
+
 		/* Do not allow a restart while not running */
 		if (!(dev->flags & IFF_UP))
 			return -EINVAL;