]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
projects / thirdparty / kernel / stable-queue.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a846cbe)
5.15-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 11 Dec 2022 10:05:47 +0000 (11:05 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 11 Dec 2022 10:05:47 +0000 (11:05 +0100)
added patches:
can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch

queue-5.15/can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch [new file with mode: 0644] patch | blob
queue-5.15/series patch | blob | blame | history

diff --git a/queue-5.15/can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch b/queue-5.15/can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch
new file mode 100644 (file)
index 0000000..6c63d69
--- /dev/null
+++ b/queue-5.15/can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch
@@ -0,0 +1,50 @@
+From 0acc442309a0a1b01bcdaa135e56e6398a49439c Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Tue, 6 Dec 2022 21:12:59 +0100
+Subject: can: af_can: fix NULL pointer dereference in can_rcv_filter
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 0acc442309a0a1b01bcdaa135e56e6398a49439c upstream.
+
+Analogue to commit 8aa59e355949 ("can: af_can: fix NULL pointer
+dereference in can_rx_register()") we need to check for a missing
+initialization of ml_priv in the receive path of CAN frames.
+
+Since commit 4e096a18867a ("net: introduce CAN specific pointer in the
+struct net_device") the check for dev->type to be ARPHRD_CAN is not
+sufficient anymore since bonding or tun netdevices claim to be CAN
+devices but do not initialize ml_priv accordingly.
+
+Fixes: 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device")
+Reported-by: syzbot+2d7f58292cb5b29eb5ad@syzkaller.appspotmail.com
+Reported-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://lore.kernel.org/all/20221206201259.3028-1-socketcan@hartkopp.net
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/af_can.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -680,7 +680,7 @@ static int can_rcv(struct sk_buff *skb,
+ {
+       struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
+-      if (unlikely(dev->type != ARPHRD_CAN || skb->len != CAN_MTU)) {
++      if (unlikely(dev->type != ARPHRD_CAN || !can_get_ml_priv(dev) || skb->len != CAN_MTU)) {
+               pr_warn_once("PF_CAN: dropped non conform CAN skbuff: dev type %d, len %d\n",
+                            dev->type, skb->len);
+               goto free_skb;
+@@ -706,7 +706,7 @@ static int canfd_rcv(struct sk_buff *skb
+ {
+       struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
+-      if (unlikely(dev->type != ARPHRD_CAN || skb->len != CANFD_MTU)) {
++      if (unlikely(dev->type != ARPHRD_CAN || !can_get_ml_priv(dev) || skb->len != CANFD_MTU)) {
+               pr_warn_once("PF_CAN: dropped non conform CAN FD skbuff: dev type %d, len %d\n",
+                            dev->type, skb->len);
+               goto free_skb;
diff --git a/queue-5.15/series b/queue-5.15/series
index 935fb173c6564a76f10e63d830ee71410f524519..046be6a1722c812ed92ec61ec13586ca79f117a7 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -55,4 +55,5 @@ hid-usbhid-add-always_poll-quirk-for-some-mice.patch
 hid-hid-lg4ff-add-check-for-empty-lbuf.patch
 hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch
 hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch
+can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch
 clk-fix-pointer-casting-to-prevent-oops-in-devm_clk_.patch
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git