superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers
History
Oliver Hartkopp 8ba68464e4 bonding: refuse to enslave CAN devices 
syzbot reported a kernel paging request crash in
can_rx_unregister() inside net/can/af_can.c. The crash occurs
because a virtual CAN device (vxcan) is being enslaved to a
bonding master.

During the enslavement process, the bonding driver mutates
and modifies the network device states to fit an Ethernet-like
aggregation model. However, CAN devices operate on a completely
different Layer 2 architecture, relying on the CAN mid-layer
private data structure (can_ml_priv) instead of standard
Ethernet structures. Since bonding does not initialize or
maintain these CAN structures, subsequent operations on the
half-enslaved interface (such as closing associated sockets
via isotp_release) lead to a null-pointer dereference when
accessing the CAN receiver lists.

Bonding CAN interfaces is architecturally invalid as CAN lacks
MAC addresses, ARP capabilities, and standard Ethernet
link-layer mechanisms. While generic loopback devices are
blocked globally in net/core/dev.c, virtual CAN devices
bypass this check because they do not carry the IFF_LOOPBACK
flag, despite acting as local software-loopbacks.

Fix this by explicitly blocking network devices of type
ARPHRD_CAN from being enslaved at the very beginning of
bond_enslave(). This prevents illegal state mutations,
eliminates the resulting KASAN crashes, and avoids potential
memory leaks from incomplete socket cleanups.

As the CAN support has been added a long time after bonding
the Fixes-tag points to the introduction of ARPHRD_CAN that
would have needed a specific handling in bonding_main.c.

Fixes: cd05acfe65 ("[CAN]: Allocate protocol numbers for PF_CAN")
Reported-by: syzbot+8ed98cbd0161632bce95@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8ed98cbd0161632bce95
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Jay Vosburgh <jv@jvosburgh.net>
Link: https://patch.msgid.link/20260526-bonding-candev-v1-1-ba1df400918a@hartkopp.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2026-05-27 16:58:28 -07:00
..
accel accel/qaic: Add overflow check to remap_pfn_range during mmap 2026-05-12 10:58:18 -06:00
accessibility
acpi ACPI: driver: Check ACPI_COMPANION() against NULL during probe 2026-05-11 18:50:06 +02:00
amba
android rust: allow `clippy::collapsible_if` globally 2026-04-30 23:21:31 +02:00
ata ata: libata-scsi: do not needlessly defer commands when using PMP with FBS 2026-05-18 12:26:51 +02:00
atm net: remove unused ATM protocols and legacy ATM device drivers 2026-04-23 12:21:14 -07:00
auxdisplay auxdisplay: line-display: fix NULL dereference in linedisp_release 2026-03-27 09:54:31 +01:00
base drivers/base/memory: fix memory block reference leak in poison accounting 2026-05-13 17:40:03 -07:00
bcma
block rbd: eliminate a race in lock_dwork draining on unmap 2026-05-20 22:09:08 +02:00
bluetooth Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths 2026-05-20 16:35:47 -04:00
bus Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
cache
cdrom cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() 2026-04-27 15:52:51 -06:00
cdx
char IPMI: Fix a number of issues that came up recently 2026-05-04 12:48:30 -07:00
clk clk: rk808: fix OF node reference imbalance 2026-04-28 20:55:53 -07:00
clocksource
comedi Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
connector
counter Linux 7.0-rc7 2026-04-06 09:04:53 +02:00
cpufreq Devicetree updates for v7.1: 2026-04-17 14:09:02 -07:00
cpuidle powerpc updates for 7.1 2026-04-14 17:10:15 -07:00
crypto crypto: ccp - copy IV using skcipher ivsize 2026-04-16 17:37:03 +08:00
cxl CXL changes for v7.1 2026-04-17 15:52:58 -07:00
dax dax changes for 7.1 2026-04-21 14:12:01 -07:00
dca
devfreq PM / devfreq: tegra30-devfreq: add support for Tegra114 2026-04-04 03:15:39 +09:00
dibs
dio
dma dmaengine updates for v7.1 2026-04-17 10:29:01 -07:00
dma-buf drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
dpll dpll: zl3073x: fix memory leak on pin registration failure 2026-05-20 19:02:01 -07:00
edac EDAC/versalnet: Fix device name memory leak 2026-05-05 14:49:48 +02:00
eisa
extcon
firewire
firmware EFI fixes for v7.1 #2 2026-05-21 08:59:52 -07:00
fpga
fsi
fwctl fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal 2026-04-10 11:21:06 -03:00
gnss
gpib Linux 7.0-rc7 2026-04-06 09:04:53 +02:00
gpio gpio fixes for v7.1-rc1 2026-04-24 11:59:46 -07:00
gpu drm: Replace old pointer to new idr 2026-05-16 09:32:43 +10:00
greybus greybus: gb-beagleplay: bound bootloader receive buffering 2026-04-02 15:55:09 +02:00
hid HID: core: Fix size_t specifier in hid_report_raw_event() 2026-05-18 13:05:41 -07:00
hsi HSI: omap_ssi_port: remove depends on ARM 2026-04-02 22:33:44 +02:00
hte hte: tegra194: Add Tegra264 GTE support 2026-04-12 23:29:31 -07:00
hv drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
hwmon hwmon: (lm90) Add lock protection to lm90_alert 2026-05-16 08:10:33 -07:00
hwspinlock hwspinlock: u8500: delete driver 2026-04-06 09:43:18 -05:00
hwtracing Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
i2c i2c: smbus: reject oversized block transfers in the common path 2026-05-07 10:59:07 +02:00
i3c i3c: mipi-i3c-hci: fix IBI payload length calculation for final status 2026-04-12 22:06:02 +02:00
idle
iio Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
infiniband IB/IPoIB: ndo_set_rx_mode_async conversion 2026-05-15 17:16:33 -07:00
input Input updates for v7.1-rc0 2026-04-22 18:36:40 -07:00
interconnect This pull request contains the interconnect changes for the 7.1-rc1 2026-04-07 10:06:50 +02:00
iommu iommupt: Fix the end_index calculation in __map_range_leaf() 2026-05-15 07:29:16 +02:00
ipack
irqchip irqchip/riscv-imsic: Clear interrupt move state during CPU offlining 2026-05-11 15:23:11 +02:00
leds leds: class: Make led_remove_lookup() NULL-aware 2026-04-09 13:49:19 +01:00
macintosh
mailbox mailbox: mailbox-test: make data_ready a per-instance variable 2026-04-18 13:10:14 -05:00
mcb
md block-7.1-20260430 2026-05-01 11:26:15 -07:00
media media: rc: ttusbir: fix inverted error logic 2026-05-04 08:33:39 +02:00
memory dma-mapping updates for Linux 7.0: 2026-04-17 11:12:42 -07:00
memstick
message
mfd MFD for v7.1 2026-04-20 11:31:01 -07:00
misc Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
mmc mmc: sdhci-msm: Fix the wrapped key handling 2026-04-10 10:29:58 +02:00
most most: usb: Use kzalloc_objs for endpoint address array 2026-04-02 17:06:09 +02:00
mtd mtd: spinand: winbond: Fix ODTR write VCR on W35NxxJW 2026-04-27 15:08:04 +02:00
mux Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
net bonding: refuse to enslave CAN devices 2026-05-27 16:58:28 -07:00
nfc nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems 2026-05-18 18:30:36 +02:00
ntb pci-v7.1-changes 2026-04-15 14:41:21 -07:00
nubus
nvdimm vfs-7.1-rc1.integrity 2026-04-13 10:40:26 -07:00
nvme nvme-apple: Reset q->sq_tail during queue init 2026-05-14 07:40:35 -07:00
nvmem Linux 7.0-rc7 2026-04-06 09:04:53 +02:00
of memblock: updates for 7.0-rc1 2026-04-18 11:29:14 -07:00
opp
parisc parisc: Fix IRQ leak in LASI driver 2026-05-04 11:48:12 +02:00
parport parport: Remove completed item from to-do list 2026-04-02 17:05:56 +02:00
pci PCI: Initialize temporary device in new_id_store() 2026-05-08 15:50:06 -05:00
pcmcia PCMCIA fixes and cleanups for v7.1 2026-04-23 11:22:16 -07:00
peci
perf arm64 updates for 7.1: 2026-04-14 16:48:56 -07:00
phy phy-for-7.1 2026-04-17 10:22:08 -07:00
pinctrl Pin control changes for the v7.1 kernel cycle: 2026-04-18 16:59:09 -07:00
platform platform-drivers-x86 for v7.1-3 2026-05-15 11:12:54 -07:00
pmdomain pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy() 2026-04-27 14:53:30 +02:00
pnp
power USB / Thunderbolt changes for 7.1-rc1 2026-04-19 08:47:40 -07:00
powercap powercap: intel_rapl: Consolidate PL4 and PMU support flags into rapl_defaults 2026-04-01 16:03:05 +02:00
pps pps: change pps_class to a const struct 2026-04-02 16:33:00 +02:00
ps3
ptp
pwm pwm: Two driver fixes 2026-04-23 08:37:07 -07:00
rapidio
ras
regulator regulator: qcom-rpmh: Fix index for pmh0101 ldo16 2026-05-06 21:26:30 +09:00
remoteproc rpmsg updates for v7.1 2026-04-17 14:18:55 -07:00
resctrl arm_mpam: Check whether the config array is allocated before destroying it 2026-05-14 09:52:05 +01:00
reset reset: eyeq: drop device_set_of_node_from_dev() done by parent 2026-04-28 19:03:50 -07:00
rpmsg rpmsg: Constify buffer passed to send API 2026-04-06 09:37:51 -05:00
rtc RTC for 7.1 2026-04-25 16:39:03 -07:00
s390 s390/sclp: Remove SCLP_OFB Kconfig option 2026-04-28 14:45:02 +02:00
sbus
scsi SCSI fixes on 20260505 2026-05-05 14:38:31 -07:00
sh
siox
slimbus
soc rpmsg updates for v7.1 2026-04-17 14:18:55 -07:00
soundwire soundwire updates for 7.1 2026-04-17 10:16:53 -07:00
spi spi: ch341: correct company name in MODULE_DESCRIPTION 2026-05-06 23:09:33 +09:00
spmi
ssb
staging hid-for-linus-2026051401 2026-05-14 14:30:01 -07:00
target Merge branch '7.1/scsi-queue' into 7.1/scsi-fixes 2026-04-26 21:15:04 -04:00
tc
tee soc: drivers for 7.1 2026-04-16 20:34:34 -07:00
thermal bitmap updates for v7.1 2026-04-14 08:55:18 -07:00
thunderbolt thunderbolt: Changes for v7.1 merge window 2026-04-10 13:10:28 +02:00
tty TTY/Serial changes for 7.1-rc1 2026-04-19 08:44:41 -07:00
ufs scsi: ufs: core: Fix bRefClkFreq write failure in HS-LSS mode 2026-04-21 20:58:06 -04:00
uio uio: replace deprecated mmap hook with mmap_prepare in uio_info 2026-04-05 13:53:44 -07:00
usb USB serial device ids for 7.1-rc3 2026-05-08 17:18:43 +02:00
vdpa vdpa: use generic driver_override infrastructure 2026-04-04 00:47:50 +02:00
vfio vfio/pci: Check BAR resources before exporting a DMABUF 2026-05-14 11:39:03 -06:00
vhost Including fixes from Netfilter. 2026-04-23 16:50:42 -07:00
video fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free 2026-05-04 10:35:55 +02:00
virt virt: sev-guest: Do not use host-controlled page order in cleanup path 2026-05-17 11:45:07 -07:00
virtio mm.git review status for linus..mm-stable 2026-04-15 12:59:16 -07:00
w1 w1: ds2490: drop redundant device reference 2026-04-03 10:55:12 +02:00
watchdog watchdog: ni903x_wdt: Convert to a platform driver 2026-04-07 21:06:59 +02:00
xen ACPI: PAD: xen: Check ACPI_COMPANION() against NULL 2026-05-12 19:01:37 +02:00
zorro
Kconfig net: remove ISDN subsystem and Bluetooth CMTP 2026-04-23 10:24:02 -07:00
Makefile net: remove ISDN subsystem and Bluetooth CMTP 2026-04-23 10:24:02 -07:00