From ab72b3230c6f8c53cf44814a11bec729daec6ab5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 11 Dec 2022 11:05:35 +0100 Subject: [PATCH] 5.4-stable patches added patches: can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch --- ...ointer-dereference-in-can_rcv_filter.patch | 50 +++++++++++++++++++ queue-5.4/series | 1 + 2 files changed, 51 insertions(+) create mode 100644 queue-5.4/can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch diff --git a/queue-5.4/can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch b/queue-5.4/can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch new file mode 100644 index 00000000000..6ba51a0a7bb --- /dev/null +++ b/queue-5.4/can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch @@ -0,0 +1,50 @@ +From 0acc442309a0a1b01bcdaa135e56e6398a49439c Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Tue, 6 Dec 2022 21:12:59 +0100 +Subject: can: af_can: fix NULL pointer dereference in can_rcv_filter + +From: Oliver Hartkopp + +commit 0acc442309a0a1b01bcdaa135e56e6398a49439c upstream. + +Analogue to commit 8aa59e355949 ("can: af_can: fix NULL pointer +dereference in can_rx_register()") we need to check for a missing +initialization of ml_priv in the receive path of CAN frames. + +Since commit 4e096a18867a ("net: introduce CAN specific pointer in the +struct net_device") the check for dev->type to be ARPHRD_CAN is not +sufficient anymore since bonding or tun netdevices claim to be CAN +devices but do not initialize ml_priv accordingly. + +Fixes: 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device") +Reported-by: syzbot+2d7f58292cb5b29eb5ad@syzkaller.appspotmail.com +Reported-by: Wei Chen +Signed-off-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20221206201259.3028-1-socketcan@hartkopp.net +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/af_can.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -678,7 +678,7 @@ static int can_rcv(struct sk_buff *skb, + { + struct canfd_frame *cfd = (struct canfd_frame *)skb->data; + +- if (unlikely(dev->type != ARPHRD_CAN || skb->len != CAN_MTU)) { ++ if (unlikely(dev->type != ARPHRD_CAN || !can_get_ml_priv(dev) || skb->len != CAN_MTU)) { + pr_warn_once("PF_CAN: dropped non conform CAN skbuff: dev type %d, len %d\n", + dev->type, skb->len); + goto free_skb; +@@ -704,7 +704,7 @@ static int canfd_rcv(struct sk_buff *skb + { + struct canfd_frame *cfd = (struct canfd_frame *)skb->data; + +- if (unlikely(dev->type != ARPHRD_CAN || skb->len != CANFD_MTU)) { ++ if (unlikely(dev->type != ARPHRD_CAN || !can_get_ml_priv(dev) || skb->len != CANFD_MTU)) { + pr_warn_once("PF_CAN: dropped non conform CAN FD skbuff: dev type %d, len %d\n", + dev->type, skb->len); + goto free_skb; diff --git a/queue-5.4/series b/queue-5.4/series index a6b3832be86..9924f07fd41 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -29,3 +29,4 @@ drm-shmem-helper-remove-errant-put-in-error-path.patch hid-usbhid-add-always_poll-quirk-for-some-mice.patch hid-hid-lg4ff-add-check-for-empty-lbuf.patch hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch +can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch -- 2.47.3