• Oleksij Rempel's avatar
    net: introduce CAN specific pointer in the struct net_device · 4e096a18
    Oleksij Rempel authored
    Since 20dd3850 ("can: Speed up CAN frame receiption by using
    ml_priv") the CAN framework uses per device specific data in the AF_CAN
    protocol. For this purpose the struct net_device->ml_priv is used. Later
    the ml_priv usage in CAN was extended for other users, one of them being
    CAN_J1939.
    
    Later in the kernel ml_priv was converted to an union, used by other
    drivers. E.g. the tun driver started storing it's stats pointer.
    
    Since tun devices can claim to be a CAN device, CAN specific protocols
    will wrongly interpret this pointer, which will cause system crashes.
    Mostly this issue is visible in the CAN_J1939 stack.
    
    To fix this issue, we request a dedicated CAN pointer within the
    net_device struct.
    
    Reported-by: syzbot+5138c4dd15a0401bec7b@syzkaller.appspotmail.com
    Fixes: 20dd3850 ("can: Speed up CAN frame receiption by using ml_priv")
    Fixes: ffd956ee ("can: introduce CAN midlayer private and allocate it automatically")
    Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol")
    Fixes: 497a5757 ("tun: switch to net core provided statistics counters")
    Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
    Link: https://lore.kernel.org/r/20210223070127.4538-1-o.rempel@pengutronix.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
    4e096a18
af_can.c 24.6 KB