kernel/linux.git/net/can, branch v6.18.21

can: isotp: fix tx.buf use-after-free in isotp_sendmsg()

2026-04-02T11:23:18+00:00

commit 424e95d62110cdbc8fd12b40918f37e408e35a92 upstream. isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf). If a signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe(). The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done. Fixes: 96d1c81e6a04 ("can: isotp: add module parameter for maximum pdu size") Cc: stable@vger.kernel.org Reported-by: Ali Norouzi Co-developed-by: Ali Norouzi Signed-off-by: Ali Norouzi Signed-off-by: Oliver Hartkopp Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-2-c45d52c6d2d8@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman

can: gw: fix OOB heap access in cgw_csum_crc8_rel()

2026-04-02T11:23:18+00:00

commit b9c310d72783cc2f30d103eed83920a5a29c671a upstream. cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx(): int from = calc_idx(crc8->from_idx, cf->len); int to = calc_idx(crc8->to_idx, cf->len); int res = calc_idx(crc8->result_idx, cf->len); if (from < 0 || to < 0 || res < 0) return; However, the loop and the result write then use the raw s8 fields directly instead of the computed variables: for (i = crc8->from_idx; ...) /* BUG: raw negative index */ cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */ With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame, calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with i = -64, reading cf->data[-64], and the write goes to cf->data[-64]. This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the start of the canfd_frame on the heap. The companion function cgw_csum_xor_rel() uses `from`/`to`/`res` correctly throughout; fix cgw_csum_crc8_rel() to match. Confirmed with KASAN on linux-7.0-rc2: BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0 Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62 To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed. Fixes: 456a8a646b25 ("can: gw: add support for CAN FD frames") Cc: stable@vger.kernel.org Reported-by: Ali Norouzi Reviewed-by: Oliver Hartkopp Acked-by: Oliver Hartkopp Signed-off-by: Ali Norouzi Signed-off-by: Oliver Hartkopp Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-1-c45d52c6d2d8@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman

can: statistics: add missing atomic access in hot path

2026-04-02T11:23:03+00:00

[ Upstream commit 46eee1661aa9b49966e6c43d07126fe408edda57 ] Commit 80b5f90158d1 ("can: statistics: use atomic access in hot path") fixed a KCSAN issue in can_receive() but missed to convert the 'matches' variable used in can_rcv_filter(). Fixes: 80b5f90158d1 ("can: statistics: use atomic access in hot path") Signed-off-by: Oliver Hartkopp Link: https://patch.msgid.link/20260318173413.28235-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin

can: bcm: fix locking for bcm_op runtime updates

2026-03-12T11:09:51+00:00

[ Upstream commit c35636e91e392e1540949bbc67932167cb48bc3a ] Commit c2aba69d0c36 ("can: bcm: add locking for bcm_op runtime updates") added a locking for some variables that can be modified at runtime when updating the sending bcm_op with a new TX_SETUP command in bcm_tx_setup(). Usually the RX_SETUP only handles and filters incoming traffic with one exception: When the RX_RTR_FRAME flag is set a predefined CAN frame is sent when a specific RTR frame is received. Therefore the rx bcm_op uses bcm_can_tx() which uses the bcm_tx_lock that was only initialized in bcm_tx_setup(). Add the missing spin_lock_init() when allocating the bcm_op in bcm_rx_setup() to handle the RTR case properly. Fixes: c2aba69d0c36 ("can: bcm: add locking for bcm_op runtime updates") Reported-by: syzbot+5b11eccc403dd1cea9f8@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-can/699466e4.a70a0220.2c38d7.00ff.GAE@google.com/ Signed-off-by: Oliver Hartkopp Link: https://patch.msgid.link/20260218-bcm_spin_lock_init-v1-1-592634c8a5b5@hartkopp.net Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin

net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts

2026-01-23T10:21:24+00:00

commit 1809c82aa073a11b7d335ae932d81ce51a588a4a upstream. Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. problem. Reported-by: syzbot Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84 Signed-off-by: Tetsuo Handa Tested-by: Oleksij Rempel Acked-by: Oleksij Rempel Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Link: https://patch.msgid.link/b1212653-8fa1-44e1-be9d-12f950fb3a07@I-love.SAKURA.ne.jp Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman

can: j1939: make j1939_session_activate() fail if device is no longer registered

2026-01-17T15:35:33+00:00

[ Upstream commit 5d5602236f5db19e8b337a2cd87a90ace5ea776d ] syzbot is still reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 even after commit 93a27b5891b8 ("can: j1939: add missing calls in NETDEV_UNREGISTER notification handler") was added. A debug printk() patch found that j1939_session_activate() can succeed even after j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER) has completed. Since j1939_cancel_active_session() is processed with the session list lock held, checking ndev->reg_state in j1939_session_activate() with the session list lock held can reliably close the race window. Reported-by: syzbot Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84 Signed-off-by: Tetsuo Handa Acked-by: Oleksij Rempel Link: https://patch.msgid.link/b9653191-d479-4c8b-8536-1326d028db5c@I-love.SAKURA.ne.jp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin

can: j1939: make j1939_sk_bind() fail if device is no longer registered

2026-01-02T11:56:48+00:00

[ Upstream commit 46cea215dc9444ec32a76b1b6a9cb809e17b64d5 ] There is a theoretical race window in j1939_sk_netdev_event_unregister() where two j1939_sk_bind() calls jump in between read_unlock_bh() and lock_sock(). The assumption jsk->priv == priv can fail if the first j1939_sk_bind() call once made jsk->priv == NULL due to failed j1939_local_ecu_get() call and the second j1939_sk_bind() call again made jsk->priv != NULL due to successful j1939_local_ecu_get() call. Since the socket lock is held by both j1939_sk_netdev_event_unregister() and j1939_sk_bind(), checking ndev->reg_state with the socket lock held can reliably make the second j1939_sk_bind() call fail (and close this race window). Fixes: 7fcbe5b2c6a4 ("can: j1939: implement NETDEV_UNREGISTER notification handler") Signed-off-by: Tetsuo Handa Acked-by: Oleksij Rempel Link: https://patch.msgid.link/5732921e-247e-4957-a364-da74bd7031d7@I-love.SAKURA.ne.jp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin

can: j1939: add missing calls in NETDEV_UNREGISTER notification handler

2025-10-13T19:26:31+00:00

Currently NETDEV_UNREGISTER event handler is not calling j1939_cancel_active_session() and j1939_sk_queue_drop_all(). This will result in these calls being skipped when j1939_sk_release() is called. And I guess that the reason syzbot is still reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 is caused by lack of these calls. Calling j1939_cancel_active_session(priv, sk) from j1939_sk_release() can be covered by calling j1939_cancel_active_session(priv, NULL) from j1939_netdev_notify(). Calling j1939_sk_queue_drop_all() from j1939_sk_release() can be covered by calling j1939_sk_netdev_event_netdown() from j1939_netdev_notify(). Therefore, we can reuse j1939_cancel_active_session(priv, NULL) and j1939_sk_netdev_event_netdown(priv) for NETDEV_UNREGISTER event handler. Fixes: 7fcbe5b2c6a4 ("can: j1939: implement NETDEV_UNREGISTER notification handler") Signed-off-by: Tetsuo Handa Tested-by: Oleksij Rempel Acked-by: Oleksij Rempel Link: https://patch.msgid.link/3ad3c7f8-5a74-4b07-a193-cb0725823558@I-love.SAKURA.ne.jp Signed-off-by: Marc Kleine-Budde

can: annotate mtu accesses with READ_ONCE()

2025-09-23T08:04:58+00:00

As hinted in commit 501a90c94510 ("inet: protect against too small mtu values."), net_device->mtu is vulnerable to race conditions if it is written and read without holding the RTNL. At the moment, all the writes are done while the interface is down, either in the devices' probe() function or in can_changelink(). So there are no such issues yet. But upcoming changes will allow to modify the MTU while the CAN XL devices are up. In preparation to the introduction of CAN XL, annotate all the net_device->mtu accesses which are not yet guarded by the RTNL with a READ_ONCE(). Note that all the write accesses are already either guarded by the RTNL or are already annotated and thus need no changes. Signed-off-by: Vincent Mailhol Link: https://patch.msgid.link/20250923-can-fix-mtu-v3-1-581bde113f52@kernel.org Signed-off-by: Marc Kleine-Budde

can: raw: reorder struct raw_sock's members to optimise packing

2025-09-19T18:56:35+00:00

struct raw_sock has several holes. Reorder the fields to save 8 bytes. Statistics before: $ pahole --class_name=raw_sock net/can/raw.o struct raw_sock { struct sock sk __attribute__((__aligned__(8))); /* 0 776 */ /* XXX last struct has 1 bit hole */ /* --- cacheline 12 boundary (768 bytes) was 8 bytes ago --- */ int ifindex; /* 776 4 */ /* XXX 4 bytes hole, try to pack */ struct net_device * dev; /* 784 8 */ netdevice_tracker dev_tracker; /* 792 0 */ struct list_head notifier; /* 792 16 */ unsigned int bound:1; /* 808: 0 4 */ unsigned int loopback:1; /* 808: 1 4 */ unsigned int recv_own_msgs:1; /* 808: 2 4 */ unsigned int fd_frames:1; /* 808: 3 4 */ unsigned int xl_frames:1; /* 808: 4 4 */ unsigned int join_filters:1; /* 808: 5 4 */ /* XXX 2 bits hole, try to pack */ /* Bitfield combined with next fields */ struct can_raw_vcid_options raw_vcid_opts; /* 809 4 */ /* XXX 3 bytes hole, try to pack */ canid_t tx_vcid_shifted; /* 816 4 */ canid_t rx_vcid_shifted; /* 820 4 */ canid_t rx_vcid_mask_shifted; /* 824 4 */ int count; /* 828 4 */ /* --- cacheline 13 boundary (832 bytes) --- */ struct can_filter dfilter; /* 832 8 */ struct can_filter * filter; /* 840 8 */ can_err_mask_t err_mask; /* 848 4 */ /* XXX 4 bytes hole, try to pack */ struct uniqframe * uniq; /* 856 8 */ /* size: 864, cachelines: 14, members: 20 */ /* sum members: 852, holes: 3, sum holes: 11 */ /* sum bitfield members: 6 bits, bit holes: 1, sum bit holes: 2 bits */ /* member types with bit holes: 1, total: 1 */ /* forced alignments: 1 */ /* last cacheline: 32 bytes */ } __attribute__((__aligned__(8))); ...and after: $ pahole --class_name=raw_sock net/can/raw.o struct raw_sock { struct sock sk __attribute__((__aligned__(8))); /* 0 776 */ /* XXX last struct has 1 bit hole */ /* --- cacheline 12 boundary (768 bytes) was 8 bytes ago --- */ struct net_device * dev; /* 776 8 */ netdevice_tracker dev_tracker; /* 784 0 */ struct list_head notifier; /* 784 16 */ int ifindex; /* 800 4 */ unsigned int bound:1; /* 804: 0 4 */ unsigned int loopback:1; /* 804: 1 4 */ unsigned int recv_own_msgs:1; /* 804: 2 4 */ unsigned int fd_frames:1; /* 804: 3 4 */ unsigned int xl_frames:1; /* 804: 4 4 */ unsigned int join_filters:1; /* 804: 5 4 */ /* XXX 2 bits hole, try to pack */ /* Bitfield combined with next fields */ struct can_raw_vcid_options raw_vcid_opts; /* 805 4 */ /* XXX 3 bytes hole, try to pack */ canid_t tx_vcid_shifted; /* 812 4 */ canid_t rx_vcid_shifted; /* 816 4 */ canid_t rx_vcid_mask_shifted; /* 820 4 */ can_err_mask_t err_mask; /* 824 4 */ int count; /* 828 4 */ /* --- cacheline 13 boundary (832 bytes) --- */ struct can_filter dfilter; /* 832 8 */ struct can_filter * filter; /* 840 8 */ struct uniqframe * uniq; /* 848 8 */ /* size: 856, cachelines: 14, members: 20 */ /* sum members: 852, holes: 1, sum holes: 3 */ /* sum bitfield members: 6 bits, bit holes: 1, sum bit holes: 2 bits */ /* member types with bit holes: 1, total: 1 */ /* forced alignments: 1 */ /* last cacheline: 24 bytes */ } __attribute__((__aligned__(8))); Acked-by: Oliver Hartkopp Signed-off-by: Vincent Mailhol Link: https://patch.msgid.link/20250917-can-raw-repack-v2-3-395e8b3a4437@kernel.org Signed-off-by: Marc Kleine-Budde