can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode

Andrei Lalaev reported a NULL pointer deref when a CAN device is
restarted from Bus Off and the driver does not implement the struct
can_priv::do_set_mode callback.

There are 2 code path that call struct can_priv::do_set_mode:
- directly by a manual restart from the user space, via
  can_changelink()
- delayed automatic restart after bus off (deactivated by default)

To prevent the NULL pointer deference, refuse a manual restart or
configure the automatic restart delay in can_changelink() and report
the error via extack to user space.

As an additional safety measure let can_restart() return an error if
can_priv::do_set_mode is not set instead of dereferencing it
unchecked.

Reported-by: Andrei Lalaev <andrey.lalaev@gmail.com>
Closes: https://lore.kernel.org/all/20250714175520.307467-1-andrey.lalaev@gmail.com
Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
Link: https://patch.msgid.link/20250718-fix-nullptr-deref-do_set_mode-v1-1-0b520097bb96@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c
index ea8c807af4d80e8df395d337d822e07550266955..3913971125de0ab16b4ad9f36712954141014ddf 100644 (file)
--- a/drivers/net/can/dev/dev.c
+++ b/drivers/net/can/dev/dev.c
@@ -145,13 +145,16 @@ void can_change_state(struct net_device *dev, struct can_frame *cf,
 EXPORT_SYMBOL_GPL(can_change_state);
 
 /* CAN device restart for bus-off recovery */
-static void can_restart(struct net_device *dev)
+static int can_restart(struct net_device *dev)
 {
        struct can_priv *priv = netdev_priv(dev);
        struct sk_buff *skb;
        struct can_frame *cf;
        int err;
 
+       if (!priv->do_set_mode)
+               return -EOPNOTSUPP;
+
        if (netif_carrier_ok(dev))
                netdev_err(dev, "Attempt to restart for bus-off recovery, but carrier is OK?\n");
 
@@ -173,10 +176,14 @@ static void can_restart(struct net_device *dev)
        if (err) {
                netdev_err(dev, "Restart failed, error %pe\n", ERR_PTR(err));
                netif_carrier_off(dev);
+
+               return err;
        } else {
                netdev_dbg(dev, "Restarted\n");
                priv->can_stats.restarts++;
        }
+
+       return 0;
 }
 
 static void can_restart_work(struct work_struct *work)
@@ -201,9 +208,8 @@ int can_restart_now(struct net_device *dev)
                return -EBUSY;
 
        cancel_delayed_work_sync(&priv->restart_work);
-       can_restart(dev);
 
-       return 0;
+       return can_restart(dev);
 }
 
 /* CAN bus-off

diff --git a/drivers/net/can/dev/netlink.c b/drivers/net/can/dev/netlink.c
index a36842ace084e5393b7d105176d9d833ab1c62a1..f0e3f0d538fb43a96f1b2800c38184b037e96eef 100644 (file)
--- a/drivers/net/can/dev/netlink.c
+++ b/drivers/net/can/dev/netlink.c
@@ -285,6 +285,12 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[],
        }
 
        if (data[IFLA_CAN_RESTART_MS]) {
+               if (!priv->do_set_mode) {
+                       NL_SET_ERR_MSG(extack,
+                                      "Device doesn't support restart from Bus Off");
+                       return -EOPNOTSUPP;
+               }
+
                /* Do not allow changing restart delay while running */
                if (dev->flags & IFF_UP)
                        return -EBUSY;
@@ -292,6 +298,12 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[],
        }
 
        if (data[IFLA_CAN_RESTART]) {
+               if (!priv->do_set_mode) {
+                       NL_SET_ERR_MSG(extack,
+                                      "Device doesn't support restart from Bus Off");
+                       return -EOPNOTSUPP;
+               }
+
                /* Do not allow a restart while not running */
                if (!(dev->flags & IFF_UP))
                        return -EINVAL;