Thread (61 messages) 61 messages, 5 authors, 2025-09-25

Re: [syzbot ci] Re: pull-request: can-next 2025-09-24

From: Vincent Mailhol <mailhol@kernel.org>
Date: 2025-09-24 13:31:31
Also in: linux-can, syzbot
Subsystem: can network drivers, the rest · Maintainers: Marc Kleine-Budde, Vincent Mailhol, Linus Torvalds

On 24/09/2025 at 22:18, Oliver Hartkopp wrote:
Hello Vincent,

On 24.09.25 14:40, syzbot ci wrote:
quoted
syzbot ci has tested the following series

[v1] pull-request: can-next 2025-09-24
https://lore.kernel.org/all/20250924082104.595459-1-mkl@pengutronix.de (local)
* [PATCH net-next 01/48] can: m_can: use us_to_ktime() where appropriate
* [PATCH net-next 02/48] MAINTAINERS: update Vincent Mailhol's email address
* [PATCH net-next 03/48] can: dev: sort includes by alphabetical order
* [PATCH net-next 04/48] can: peak: Modification of references to email
accounts being deleted
* [PATCH net-next 05/48] can: rcar_canfd: Update bit rate constants for RZ/G3E
and R-Car Gen4
* [PATCH net-next 06/48] can: rcar_canfd: Update RCANFD_CFG_* macros
* [PATCH net-next 07/48] can: rcar_canfd: Simplify nominal bit rate config
* [PATCH net-next 08/48] can: rcar_canfd: Simplify data bit rate config
* [PATCH net-next 09/48] can: rcar_can: Consistently use ndev for net_device
pointers
* [PATCH net-next 10/48] can: rcar_can: Add helper variable dev to
rcar_can_probe()
* [PATCH net-next 11/48] can: rcar_can: Convert to Runtime PM
* [PATCH net-next 12/48] can: rcar_can: Convert to BIT()
* [PATCH net-next 13/48] can: rcar_can: Convert to GENMASK()
* [PATCH net-next 14/48] can: rcar_can: CTLR bitfield conversion
* [PATCH net-next 15/48] can: rcar_can: TFCR bitfield conversion
* [PATCH net-next 16/48] can: rcar_can: BCR bitfield conversion
* [PATCH net-next 17/48] can: rcar_can: Mailbox bitfield conversion
* [PATCH net-next 18/48] can: rcar_can: Do not print alloc_candev() failures
* [PATCH net-next 19/48] can: rcar_can: Convert to %pe
* [PATCH net-next 20/48] can: esd_usb: Rework display of error messages
* [PATCH net-next 21/48] can: esd_usb: Avoid errors triggered from USB disconnect
* [PATCH net-next 22/48] can: raw: reorder struct uniqframe's members to
optimise packing
* [PATCH net-next 23/48] can: raw: use bitfields to store flags in struct
raw_sock
* [PATCH net-next 24/48] can: raw: reorder struct raw_sock's members to
optimise packing
* [PATCH net-next 25/48] can: annotate mtu accesses with READ_ONCE()
* [PATCH net-next 26/48] can: dev: turn can_set_static_ctrlmode() into a non-
inline function
* [PATCH net-next 27/48] can: populate the minimum and maximum MTU values
* [PATCH net-next 28/48] can: enable CAN XL for virtual CAN devices by default
* [PATCH net-next 29/48] can: dev: move struct data_bittiming_params to linux/
can/bittiming.h
* [PATCH net-next 30/48] can: dev: make can_get_relative_tdco() FD agnostic
and move it to bittiming.h
* [PATCH net-next 31/48] can: netlink: document which symbols are FD specific
* [PATCH net-next 32/48] can: netlink: refactor can_validate_bittiming()
* [PATCH net-next 33/48] can: netlink: add can_validate_tdc()
* [PATCH net-next 34/48] can: netlink: add can_validate_databittiming()
* [PATCH net-next 35/48] can: netlink: refactor CAN_CTRLMODE_TDC_{AUTO,MANUAL}
flag reset logic
* [PATCH net-next 36/48] can: netlink: remove useless check in
can_tdc_changelink()
* [PATCH net-next 37/48] can: netlink: make can_tdc_changelink() FD agnostic
* [PATCH net-next 38/48] can: netlink: add can_dtb_changelink()
* [PATCH net-next 39/48] can: netlink: add can_ctrlmode_changelink()
* [PATCH net-next 40/48] can: netlink: make can_tdc_get_size() FD agnostic
* [PATCH net-next 41/48] can: netlink: add can_data_bittiming_get_size()
* [PATCH net-next 42/48] can: netlink: add can_bittiming_fill_info()
* [PATCH net-next 43/48] can: netlink: add can_bittiming_const_fill_info()
* [PATCH net-next 44/48] can: netlink: add can_bitrate_const_fill_info()
* [PATCH net-next 45/48] can: netlink: make can_tdc_fill_info() FD agnostic
* [PATCH net-next 46/48] can: calc_bittiming: make can_calc_tdco() FD agnostic
* [PATCH net-next 47/48] can: dev: add can_get_ctrlmode_str()
* [PATCH net-next 48/48] can: netlink: add userland error messages

and found the following issue:
KASAN: slab-out-of-bounds Read in can_setup

Full report is available here:
https://ci.syzbot.org/series/7feff13b-7247-438c-9d92-b8e9fda977c7

***

KASAN: slab-out-of-bounds Read in can_setup

tree:      net-next
URL:       https://kernel.googlesource.com/pub/scm/linux/kernel/git/netdev/
net-next.git
base:      315f423be0d1ebe720d8fd4fa6bed68586b13d34
arch:      amd64
compiler:  Debian clang version 20.1.8 (+
+20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
config:    https://ci.syzbot.org/builds/08331a39-4a31-4f96-a377-3125df2af883/
config
C repro:   https://ci.syzbot.org/findings/46cae752-cb54-4ceb-87cb-
bb9d2fdb1d79/c_repro
syz repro: https://ci.syzbot.org/findings/46cae752-cb54-4ceb-87cb-
bb9d2fdb1d79/syz_repro

netlink: 24 bytes leftover after parsing attributes in process `syz.0.17'.
==================================================================
BUG: KASAN: slab-out-of-bounds in can_set_default_mtu drivers/net/can/dev/
dev.c:350 [inline]
BUG: KASAN: slab-out-of-bounds in can_setup+0x209/0x280 drivers/net/can/dev/
dev.c:279
Read of size 4 at addr ffff888106a6ee74 by task syz.0.17/5999

CPU: 1 UID: 0 PID: 5999 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-
debian-1.16.2-1 04/01/2014
Call Trace:
  <TASK>
  dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
  print_address_description mm/kasan/report.c:378 [inline]
  print_report+0xca/0x240 mm/kasan/report.c:482
  kasan_report+0x118/0x150 mm/kasan/report.c:595
  can_set_default_mtu drivers/net/can/dev/dev.c:350 [inline]
When can_set_default_mtu() is called from the netlink config context it is also
used for virtual CAN interfaces (which was created by syzbot here), where the
priv pointer is not valid.
Ack. I am pretty sure that I tested it on the virtual interfaces, but I did not
have KASAN activated. So I did not notice the problem.
Please use

struct can_priv *priv = safe_candev_priv(dev);

to detect virtual CAN interfaces too.
Exactly! I am reaching the same conclusion.

Right now, I am testing this patch:
diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c
index e5a82aa77958..1a309ae4850d 100644
--- a/drivers/net/can/dev/dev.c
+++ b/drivers/net/can/dev/dev.c
@@ -345,9 +345,9 @@ EXPORT_SYMBOL_GPL(free_candev);

 void can_set_default_mtu(struct net_device *dev)
 {
-       struct can_priv *priv = netdev_priv(dev);
+       struct can_priv *priv = safe_candev_priv(dev);

-       if (priv->ctrlmode & CAN_CTRLMODE_FD) {
+       if (priv && (priv->ctrlmode & CAN_CTRLMODE_FD)) {
                dev->mtu = CANFD_MTU;
                dev->min_mtu = CANFD_MTU;
                dev->max_mtu = CANFD_MTU;
It is compiling rigth now. Another potential fix could also be:
diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c
index e5a82aa77958..66c7a9eee7dd 100644
--- a/drivers/net/can/dev/dev.c
+++ b/drivers/net/can/dev/dev.c
@@ -273,11 +273,12 @@ void can_setup(struct net_device *dev)
 {
        dev->type = ARPHRD_CAN;
        dev->hard_header_len = 0;
+       dev->mtu = CAN_MTU;
+       dev->min_mtu = CAN_MTU;
+       dev->max_mtu = CAN_MTU;
        dev->addr_len = 0;
        dev->tx_queue_len = 10;

-       can_set_default_mtu(dev);
-
        /* New-style flags. */
        dev->flags = IFF_NOARP;
        dev->features = NETIF_F_HW_CSUM;

@Marc, once I finish testing, can I just send you a diff patch and ask to squash
it in:

  [PATCH net-next 27/48] can: populate the minimum and maximum MTU values

?


Yours sincerely,
Vincent Mailhol
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help