From nobody Sun Feb 8 07:07:47 2026 Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E24FB39A7ED for ; Thu, 8 Jan 2026 08:21:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767860469; cv=none; b=AcBsm0MPm4QVgKStURZWBkXh9VLqLurLF983mKSpk5XaDH4kphsqBtpuw5jTZFTTAzbXppggtGeAS0aD4KA6V13EGXegmHQBjhUd3zP69iAdOYdhFptFbcuw2Hr8pYIOeBz+DUEx0e3spkR2Y9ud0NL6n9w+IZIGdijFHeKJoEg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767860469; c=relaxed/simple; bh=nmK3OW+A8KdwE4l0MX6eG0EVB1z2FcVMxzjEadikDEc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=gUUXOAeFGe9h7YL93cJ69g53ZW44UhMnJACfMq5e5Ava9Hvjz/gs+6TPHQcqfNGQpHMOU4aFclw7Qg2IbdkLuLUwTygGk4RieCcV7V9Tx6XSO3saTwyTm7cOye5OuXr8BUIcIZd1rLwXCQxGGu0K+BwhvCNEB/0xK68c32vAc7s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hQ2IUple; arc=none smtp.client-ip=209.85.210.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hQ2IUple" Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-7baf61be569so2056575b3a.3 for ; Thu, 08 Jan 2026 00:21:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767860460; x=1768465260; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ohN83l/9b09pUUazxhdlQ1ABqtK3F2Gn9dTSppDWbOI=; b=hQ2IUple1Vf5tL2RmaVZ+zCya1QB3zVxd6G8nLavqC2xa06qo5jAT1kMIw3pHG+RtE PCroUteejaf3d69ak9L9goIKxETApeAokXEszi3BkUO3e/ogt2iAqRCFA/nOle727v8k 082wmhpN4g5/ReA8hmokPFyCo4nyWNHSHruAgkJO3Y5SfJ5ECpr/htRLgWR6xnfZCjs8 FbNDnsPkWlM0Fj82cgHgMEGTlZA5byu4zUEVEL8qx36Q/75HOVrEnfr1ah4/MaeZGlwZ dHmhcowhUC4LI1K/TZdsMwYYIFARyb4lWcIquFKcxByaJ47uTz42xQHiqsTucLG+X0N7 5Hng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767860460; x=1768465260; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ohN83l/9b09pUUazxhdlQ1ABqtK3F2Gn9dTSppDWbOI=; b=RQRhAqZ+HRcJmEBdG9/eGN+ibDRFRCCgbbHEgc/KBCi5nZFY4i3bJ9FHQ5RvIwy87P msKUZWI8VLM42mjMUM5DcSkXA9fMpT/G+kY8mqvw0IEd9mJ8bP1lwPs4u1qcialvYNUm MYmOIRuhZ40rrLmzajUJdWbROOcvK5tjRs1ciALyC7ZFLyh6O2E3MgpAx83LUOTi11XS AGtMAGHKsTu5/+lxCHcNwkWoqIptFnzqq4TDh1omb0DV+pyGxmlioZSFSs2P+ovx3qDB Y5AGn023GsH1WjlSJ7IuiYYkbwAhdl65hIcqOKbloNG0sRd3zHOqABbJqrSuOy+IEuWg WUOA== X-Gm-Message-State: AOJu0YyPClzwY0cK/q8R2/GJYCvZgjQACLWvjTx+/+J+cd/YYUUYizMX BjrVXdYTJM2/cFq7wJYjp8Lt5+N2AJLqBwvJZTmyk+pKXC2Sik+qJ0o= X-Gm-Gg: AY/fxX6xHa18Srcpu/M+4HRrS0bAHYp5BBcX17yGAK0sDIOgTQ4XXNrFPST9lJp9hl/ XBkOC7sRsU2VYy0SIqSOoJKb9/J6fQJU/ThqoYI8/JUMA1qftfK86srGd/q5Qno3xBjvXygh21p oXFXtKTeKNntup63hc5D1Wmw84uNECZJPkC+O7VqU2TaNYULcvwPR7bzvj8VwvZMpMxJHnc2y4V UCXhGBRKHDSbpRfG1kIfC+qn5OUgMgMyG0Bwj+HFMOFG/Z0X/s/BTAlNjBcgr9X+HE/Mpsr2Kjp PFVZW5OTgWHwvfbG7SAHYttzS1hxWOOhxCdvVa4IsNYtRX5EXSP2F0PRxxdDiCU7Kev0jnD0r3E aiMNGumLcqi6lo/1H0oyLLNAg0SgpoGm3bzxl9DMn4coYhI1fgmdeUOMXKj2/eRNnP6fbyolbXx AkHZICHKk5pJ5ekfrvfGlw2YiPMd3hWqYmIBBCX5Q/o2DzasBgW9MofJ6o7eQzpcrSoAT0ZZYxz PcQYXQl X-Google-Smtp-Source: AGHT+IElV37kS03nFj4t7FP33G910PM/BZOGAPDHMzvNocwch78y9d6Ofsdwk2zUxZl8fIYG3hNBvg== X-Received: by 2002:a05:6a21:9998:b0:35b:c903:1db3 with SMTP id adf61e73a8af0-3898f888ae7mr4848357637.6.1767860459765; Thu, 08 Jan 2026 00:20:59 -0800 (PST) Received: from DESKTOP-BKIPFGN (ec2-54-169-177-146.ap-southeast-1.compute.amazonaws.com. [54.169.177.146]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c4cc02ecfaasm7445898a12.14.2026.01.08.00.20.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Jan 2026 00:20:59 -0800 (PST) From: Kery Qi To: mkl@pengutronix.de Cc: linux-kernel@vger.kernel.org, Kery Qi Subject: [PATCH] can: mcp251xfd: fix UAF from workqueue double-destroy Date: Thu, 8 Jan 2026 16:20:42 +0800 Message-ID: <20260108082042.1627-1-qikeyu2017@gmail.com> X-Mailer: git-send-email 2.50.1.windows.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mcp251xfd_open() allocates priv->wq after the controller is started. If request_threaded_irq() or mcp251xfd_chip_interrupts_enable() fails, the error path destroys the workqueue but leaves priv->wq unchanged. This leaves a dangling non-NULL pointer that can later be destroyed again, for example: - a retry to open the device fails before priv->wq is reallocated and a later close/remove cleanup destroys the stale pointer; or - reset/recovery paths end up calling mcp251xfd_stop() after the failed open and destroy priv->wq again. Clear priv->wq after destroy_workqueue() to make teardown idempotent and avoid double-destroy/use-after-free crashes. This is the same bug class as CVE-2024-26802 (stmmac workqueue teardown). Signed-off-by: Kery Qi --- drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c b/drivers/net/c= an/spi/mcp251xfd/mcp251xfd-core.c index 5134ebb85880..c5ac0c8a6e08 100644 --- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c @@ -1661,6 +1661,8 @@ static int mcp251xfd_open(struct net_device *ndev) free_irq(spi->irq, priv); out_destroy_workqueue: destroy_workqueue(priv->wq); + if (priv->wq) + priv->wq =3D NULL; out_can_rx_offload_disable: can_rx_offload_disable(&priv->offload); set_bit(MCP251XFD_FLAGS_DOWN, priv->flags); --=20 2.34.1