[PATCH 1/3] can: rcar_canfd: Fix dangling pointer on channel probe failure
From: Biju
Date: Tue Jun 30 2026 - 09:52:43 EST
From: Biju Das <biju.das.jz@xxxxxxxxxxxxxx>
In rcar_canfd_channel_probe(), the channel pointer is saved globally
via gpriv->ch[priv->channel] = priv. If register_candev() fails
shortly after, the error path uses free_candev(ndev) to release the
memory but leaves the pointer in the global array.
During teardown, rcar_canfd_probe() calls rcar_canfd_channel_remove()
for all channels in the mask. Since the dangling pointer still
evaluates to true, this will result in a use-after-free and double
free of the memory.
Clear gpriv->ch[priv->channel] in the failure path so the slot is
correctly seen as empty during teardown.
Fixes: dd3bd23eb438 ("can: rcar_canfd: Add Renesas R-Car CAN FD driver")
Signed-off-by: Biju Das <biju.das.jz@xxxxxxxxxxxxxx>
---
drivers/net/can/rcar/rcar_canfd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/can/rcar/rcar_canfd.c b/drivers/net/can/rcar/rcar_canfd.c
index fcc37b73ed43..57f1710caa89 100644
--- a/drivers/net/can/rcar/rcar_canfd.c
+++ b/drivers/net/can/rcar/rcar_canfd.c
@@ -1982,6 +1982,7 @@ static int rcar_canfd_channel_probe(struct rcar_canfd_global *gpriv, u32 ch,
netif_napi_del(&priv->napi);
fail:
free_candev(ndev);
+ gpriv->ch[priv->channel] = NULL;
return err;
}
--
2.43.0