Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-10 22:21:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
d0553680f9
linux/net/can
History
Ziyang Xuan d0553680f9 can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate 
The conclusion "j1939_session_deactivate() should be called with a
session ref-count of at least 2" is incorrect. In some concurrent
scenarios, j1939_session_deactivate can be called with the session
ref-count less than 2. But there is not any problem because it
will check the session active state before session putting in
j1939_session_deactivate_locked().

Here is the concurrent scenario of the problem reported by syzbot
and my reproduction log.

        cpu0                            cpu1
                                j1939_xtp_rx_eoma
j1939_xtp_rx_abort_one
                                j1939_session_get_by_addr [kref == 2]
j1939_session_get_by_addr [kref == 3]
j1939_session_deactivate [kref == 2]
j1939_session_put [kref == 1]
				j1939_session_completed
				j1939_session_deactivate
				WARN_ON_ONCE(kref < 2)

=====================================================
WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70
CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
RIP: 0010:j1939_session_deactivate+0x5f/0x70
Call Trace:
 j1939_session_deactivate_activate_next+0x11/0x28
 j1939_xtp_rx_eoma+0x12a/0x180
 j1939_tp_recv+0x4a2/0x510
 j1939_can_recv+0x226/0x380
 can_rcv_filter+0xf8/0x220
 can_receive+0x102/0x220
 ? process_backlog+0xf0/0x2c0
 can_rcv+0x53/0xf0
 __netif_receive_skb_one_core+0x67/0x90
 ? process_backlog+0x97/0x2c0
 __netif_receive_skb+0x22/0x80

Fixes: 0c71437dd5 ("can: j1939: j1939_session_deactivate(): clarify lifetime of session object")
Reported-by: syzbot+9981a614060dcee6eeca@syzkaller.appspotmail.com
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/all/20210906094200.95868-1-william.xuanziyang@huawei.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-02-02 10:33:26 +01:00
..
j1939 can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate 2023-02-02 10:33:26 +01:00
af_can.c net: af_can: remove useless parameter 'err' in 'can_rx_register()' 2022-12-12 11:41:24 +01:00
af_can.h can: introduce CAN midlayer private and allocate it automatically 2019-09-04 13:29:14 +02:00
bcm.c can: bcm: check the result of can_send() in bcm_can_tx() 2022-09-23 13:53:10 +02:00
gw.c can: skb: unify skb CAN frame identification helpers 2022-09-15 09:08:08 +02:00
isotp.c can: isotp: fix tx state handling for echo tx processing 2022-11-07 14:00:27 +01:00
Kconfig net: Kconfig: move the CAN device menu to the "Device Drivers" section 2022-06-11 17:11:02 +02:00
Makefile can: add ISO 15765-2:2016 transport protocol 2020-10-07 23:18:33 +02:00
proc.c proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
raw.c can: raw: add support for SO_MARK 2022-12-12 11:43:16 +01:00