31 Dec, 2019
1 commit
-
commit 00d4e14d2e4caf5f7254a505fee5eeca8cd37bd4 upstream.
syzbot reproduced following crash:
===============================================================================
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 9844 Comm: syz-executor.0 Not tainted 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__lock_acquire+0x1254/0x4a00 kernel/locking/lockdep.c:3828
Code: 00 0f 85 96 24 00 00 48 81 c4 f0 00 00 00 5b 41 5c 41 5d 41 5e 41
5f 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 3c 02
00 0f 85 0b 28 00 00 49 81 3e 20 19 78 8a 0f 84 5f ee ff
RSP: 0018:ffff888099c3fb48 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000218 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffff888099c3fc60 R08: 0000000000000001 R09: 0000000000000001
R10: fffffbfff146e1d0 R11: ffff888098720400 R12: 00000000000010c0
R13: 0000000000000000 R14: 00000000000010c0 R15: 0000000000000000
FS: 00007f0559e98700(0000) GS:ffff8880ae800000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe4d89e0000 CR3: 0000000099606000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x33/0x50 kernel/locking/spinlock.c:175
spin_lock_bh include/linux/spinlock.h:343 [inline]
j1939_jsk_del+0x32/0x210 net/can/j1939/socket.c:89
j1939_sk_bind+0x2ea/0x8f0 net/can/j1939/socket.c:448
__sys_bind+0x239/0x290 net/socket.c:1648
__do_sys_bind net/socket.c:1659 [inline]
__se_sys_bind net/socket.c:1657 [inline]
__x64_sys_bind+0x73/0xb0 net/socket.c:1657
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a679
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89
f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01
f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f0559e97c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679
RDX: 0000000000000018 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0559e986d4
R13: 00000000004c09e9 R14: 00000000004d37d0 R15: 00000000ffffffff
Modules linked in:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 9844 at kernel/locking/mutex.c:1419
mutex_trylock+0x279/0x2f0 kernel/locking/mutex.c:1427
===============================================================================This issues was caused by null pointer deference. Where j1939_sk_bind()
was using currently not existing priv.Possible scenario may look as following:
cpu0 cpu1
bind()
bind()
j1939_sk_bind()
j1939_sk_bind()
priv = jsk->priv;
priv = jsk->priv;
lock_sock(sock->sk);
priv = j1939_netdev_start(ndev);
j1939_jsk_add(priv, jsk);
jsk->priv = priv;
relase_sock(sock->sk);
lock_sock(sock->sk);
j1939_jsk_del(priv, jsk);
..... ooops ......With this patch we move "priv = jsk->priv;" after the lock, to avoid
assigning of wrong priv pointer.Reported-by: syzbot+99e9e1b200a1e363237d@syzkaller.appspotmail.com
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Oleksij Rempel
Cc: linux-stable # >= v5.4
Signed-off-by: Marc Kleine-Budde
Signed-off-by: Greg Kroah-Hartman
13 Nov, 2019
9 commits
-
j1939_session_destroy() and __j1939_priv_release() should be called only
if session, ecu or socket are not linked or used by any one else. If at
least one of these resources is linked, then the reference counting is
broken somewhere.This warning will be triggered before KASAN will do, and will make it
easier to debug initial issue. This works on platforms without KASAN
support.Signed-off-by: Oleksij Rempel
-
j1939_can_recv() can be called in parallel with socket release. In this
case sk_release and sk_destruct can be done earlier than
j1939_can_recv() is processed.Reported-by: syzbot+ca172a0ac477ac90f045@syzkaller.appspotmail.com
Reported-by: syzbot+07ca5bce8530070a5650@syzkaller.appspotmail.com
Reported-by: syzbot+a47537d3964ef6c874e1@syzkaller.appspotmail.com
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Oleksij Rempel -
…) instead of hrtimer_cancel()
This part of the code protected by lock used in the hrtimer as well.
Using hrtimer_cancel() will trigger dead lock.Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de> -
We link the socket to the session to be able provide socket specific
notifications. For example messages over error queue.We need to keep the socket held, while we have a reference to it.
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Oleksij Rempel -
j1939_session_cancel() was modifying session->state without protecting
it by locks and without checking actual state of the session.This patch moves j1939_tp_set_rxtimeout() into j1939_session_cancel()
and adds the missing locking.Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Oleksij Rempel -
j1939_sk_sendmsg() should be protected by lock_sock() to avoid race with
j1939_sk_bind() and j1939_sk_release().Reported-by: syzbot+afd421337a736d6c1ee6@syzkaller.appspotmail.com
Reported-by: syzbot+6d04f6a1b31a0ae12ca9@syzkaller.appspotmail.com
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Oleksij Rempel -
This patch avoids a NULL pointer deref crash if ndev->ml_priv is NULL.
Reported-by: syzbot+95c8e0d9dffde15b6c5c@syzkaller.appspotmail.com
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Oleksij Rempel -
This patch delays the j1939_priv_put() until the socket is destroyed via
the sk_destruct callback, to avoid use-after-free problems.Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Oleksij Rempel -
In j1939 we need our own struct sock::sk_destruct callback. Export the
generic af_can can_sock_destruct() that allows us to chain-call it.Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Oleksij Rempel
05 Nov, 2019
4 commits
-
We were sending malformed EOMA with total message size set to 0. This
issue has been fixed in the previous patch.In this patch a sanity check is added to the RX path and a error message
is displayed.Signed-off-by: Oleksij Rempel
Signed-off-by: Marc Kleine-Budde -
…e total message size set
We were sending malformed EOMA messageswith total message size set to 0.
This patch fixes the bug.
Reported-by: https://github.com/linux-can/can-utils/issues/159
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Acked-by: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> -
Filters array is coped from user space and linked to the j1939 socket.
On socket release this memory was not freed.Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Oleksij Rempel
Signed-off-by: Marc Kleine-Budde -
Currently the error return paths do not free skb and this results in a
memory leak. Fix this by freeing them before the return.Addresses-Coverity: ("Resource leak")
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Colin Ian King
Acked-by: Oleksij Rempel
Signed-off-by: Marc Kleine-Budde
04 Sep, 2019
18 commits
-
SAE J1939 is the vehicle bus recommended practice used for communication
and diagnostics among vehicle components. Originating in the car and
heavy-duty truck industry in the United States, it is now widely used in
other parts of the world.J1939, ISO 11783 and NMEA 2000 all share the same high level protocol.
SAE J1939 can be considered the replacement for the older SAE J1708 and
SAE J1587 specifications.Acked-by: Oliver Hartkopp
Signed-off-by: Bastian Stender
Signed-off-by: Elenita Hinds
Signed-off-by: kbuild test robot
Signed-off-by: Kurt Van Dijck
Signed-off-by: Maxime Jayat
Signed-off-by: Robin van der Gracht
Signed-off-by: Oleksij Rempel
Signed-off-by: Marc Kleine-Budde -
The size of this structure will be increased with J1939 support. To stay
binary compatible, the CAN_REQUIRED_SIZE macro is introduced for
existing CAN protocols.Signed-off-by: Kurt Van Dijck
Signed-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
The can_rx_unregister() can be called from NAPI (soft IRQ) context, at least
by j1939 stack. This leads to potential dead lock with &net->can.rcvlists_lock
called from can_rx_register:
===============================================================================
WARNING: inconsistent lock state
4.19.0-20181029-1-g3e67f95ba0d3 #3 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
testj1939/224 [HC0[0]:SC1[1]:HE1:SE0] takes:
1ad0fda3 (&(&net->can.rcvlists_lock)->rlock){+.?.}, at: can_rx_unregister+0x4c/0x1ac
{SOFTIRQ-ON-W} state was registered at:
lock_acquire+0xd0/0x1f4
_raw_spin_lock+0x30/0x40
can_rx_register+0x5c/0x14c
j1939_netdev_start+0xdc/0x1f8
j1939_sk_bind+0x18c/0x1c8
__sys_bind+0x70/0xb0
sys_bind+0x10/0x14
ret_fast_syscall+0x0/0x28
0xbedc9b64
irq event stamp: 2440
hardirqs last enabled at (2440): [] __local_bh_enable_ip+0xac/0x184
hardirqs last disabled at (2439): [] __local_bh_enable_ip+0x60/0x184
softirqs last enabled at (2412): [] release_sock+0x84/0xa4
softirqs last disabled at (2415): [] irq_exit+0x100/0x1b0other info that might help us debug this:
Possible unsafe locking scenario:CPU0
----
lock(&(&net->can.rcvlists_lock)->rlock);
lock(&(&net->can.rcvlists_lock)->rlock);*** DEADLOCK ***
2 locks held by testj1939/224:
#0: 168eb13b (rcu_read_lock){....}, at: netif_receive_skb_internal+0x3c/0x350
#1: 168eb13b (rcu_read_lock){....}, at: can_receive+0x88/0x1c0
===============================================================================To avoid this situation, we should use spin_lock_bh() instead of spin_lock().
Signed-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
Since using the "struct can_ml_priv" for the per device "struct
dev_rcv_lists" the call can_dev_rcv_lists_find() cannot fail anymore.
This patch simplifies af_can by removing the NULL pointer checks from
the dev_rcv_lists returned by can_dev_rcv_lists_find().Signed-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
This patch removes the old method of allocating the per device protocol
specific memory via a netdevice_notifier. This had the drawback, that
the allocation can fail, leading to a lot of null pointer checks in the
code. This also makes the live cycle management of this memory quite
complicated.This patch switches from the allocating the struct can_dev_rcv_lists in
a NETDEV_REGISTER call to using the dev->ml_priv, which is allocated by
the driver since the previous patch.Signed-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
This patch introduces the CAN midlayer private structure ("struct
can_ml_priv") which should be used to hold protocol specific per device
data structures. For now it's only member is "struct can_dev_rcv_lists".The CAN midlayer private is allocated via alloc_netdev()'s private and
assigned to "struct net_device::ml_priv" during device creation. This is
done transparently for CAN drivers using alloc_candev(). The slcan, vcan
and vxcan drivers which are not using alloc_candev() have been adopted
manually. The memory layout of the netdev_priv allocated via
alloc_candev() will looke like this:+-------------------------+
| driver's priv |
+-------------------------+
| struct can_ml_priv |
+-------------------------+
| array of struct sk_buff |
+-------------------------+Signed-off-by: Oleksij Rempel
Signed-off-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
The networking core takes care and unregisters every network device in
a namespace before calling the can_pernet_exit() hook. This patch
removes the unneeded cleanup.Acked-by: Oliver Hartkopp
Suggested-by: Kirill Tkhai
Signed-off-by: Oleksij Rempel
Signed-off-by: Marc Kleine-Budde -
This patch replaces an open coded max by the proper kernel define max().
Acked-by: Oliver Hartkopp
Signed-off-by: Oleksij Rempel
Signed-off-by: Marc Kleine-Budde -
This patch gives the variables holding the CAN receiver and the receiver
list a better name by renaming them from "r to "rcv" and "rl" to
"recv_list".Signed-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
This patch add the commonly used prefix "can_" to the find_dev_rcv_lists()
function and moves the "find" to the end, as the function returns a struct
can_dev_rcv_list. This improves the overall readability of the code.Signed-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
This patch add the commonly used prefix "can_" to the find_rcv_list()
function and add the "find" to the end, as the function returns a struct
rcv_list. This improves the overall readability of the code.Signed-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
This patch gives the variables holding the CAN per device receive filter lists
a better name by renaming them from "d" to "dev_rcv_lists".Signed-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
This patch gives the variables holding the CAN receive filter lists a
better name by renaming them from "d" to "dev_rcv_lists".Signed-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
This patch improves the code reability by removing the redundant "can_"
prefix from the members of struct netns_can (as the struct netns_can itself
is the member "can" of the struct net.)The conversion is done with:
sed -i \
-e "s/struct can_dev_rcv_lists \*can_rx_alldev_list;/struct can_dev_rcv_lists *rx_alldev_list;/" \
-e "s/spinlock_t can_rcvlists_lock;/spinlock_t rcvlists_lock;/" \
-e "s/struct timer_list can_stattimer;/struct timer_list stattimer; /" \
-e "s/can\.can_rx_alldev_list/can.rx_alldev_list/g" \
-e "s/can\.can_rcvlists_lock/can.rcvlists_lock/g" \
-e "s/can\.can_stattimer/can.stattimer/g" \
include/net/netns/can.h \
net/can/*.[ch]Signed-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
This patch rename the variables holding the CAN statistics (can_stats
and can_pstats) to pkg_stats and rcv_lists_stats which reflect better
their meaning.The conversion is done with:
sed -i \
-e "s/can_stats\([^_]\)/pkg_stats\1/g" \
-e "s/can_pstats/rcv_lists_stats/g" \
net/can/proc.cSigned-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
This patch rename the variables holding the CAN statistics (can_stats
and can_pstats) to pkg_stats and rcv_lists_stats which reflect better
their meaning.The conversion is done with:
sed -i \
-e "s/can_stats\([^_]\)/pkg_stats\1/g" \
-e "s/can_pstats/rcv_lists_stats/g" \
net/can/af_can.cSigned-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
This patch gives the members of the struct netns_can that are holding
the statistics a sensible name, by renaming struct netns_can::can_stats
into struct netns_can::pkg_stats and struct netns_can::can_pstats into
struct netns_can::rcv_lists_stats.The conversion is done with:
sed -i \
-e "s:\(struct[^*]*\*\)can_stats;.*:\1pkg_stats;:" \
-e "s:\(struct[^*]*\*\)can_pstats;.*:\1rcv_lists_stats;:" \
-e "s/can\.can_stats/can.pkg_stats/g" \
-e "s/can\.can_pstats/can.rcv_lists_stats/g" \
net/can/*.[ch] \
include/net/netns/can.hSigned-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
This patch renames both "struct s_stats" and "struct s_pstats", to
"struct can_pkg_stats" and "struct can_rcv_lists_stats" to better
reflect their meaning and improve code readability.The conversion is done with:
sed -i \
-e "s/struct s_stats/struct can_pkg_stats/g" \
-e "s/struct s_pstats/struct can_rcv_lists_stats/g" \
net/can/*.[ch] \
include/net/netns/can.hSigned-off-by: Oleksij Rempel
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde
13 Aug, 2019
8 commits
-
Introduce CAN FD support which needs an extension of the netlink API to
pass CAN FD type content to the kernel which has a different size to
Classic CAN. Additionally the struct canfd_frame has a new 'flags' element
that can now be modified with can-gw.The new CGW_FLAGS_CAN_FD option flag defines whether the routing job
handles Classic CAN or CAN FD frames. This setting is very strict at
reception time and enables the new possibilities, e.g. CGW_FDMOD_* and
modifying the flags element of struct canfd_frame, only when
CGW_FLAGS_CAN_FD is set.Signed-off-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
To prepare the CAN FD support this patch implements the first adaptions in
data structures for CAN FD without changing the current functionality.Additionally some code at the end of this patch is moved or indented to
simplify the review of the next implementation step.Signed-off-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
This patch removes some unnecessary braces for a single statement block.
Signed-off-by: Marc Kleine-Budde
-
This patch rewraps the arguments of cgw_put_job() to avoid long lines,
which also fixes the indention.Signed-off-by: Marc Kleine-Budde
-
This patch remove the return at the end of the void function
can_can_gw_rcv().Signed-off-by: Marc Kleine-Budde
-
This patch add missing spaces around the '^' and '+' operators.
Signed-off-by: Marc Kleine-Budde
-
This patch removes unnecessary blank lines, and adds suggested ones, so
that checkpatch doesn't complain anymore.Signed-off-by: Marc Kleine-Budde
-
This patch converts all block comments to network subsystem style block
comments.Signed-off-by: Marc Kleine-Budde
