From: Marc Kleine-Budde <mkl@pengutronix.de>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, kuba@kernel.org, linux-can@vger.kernel.org,
kernel@pengutronix.de,
Ziyang Xuan <william.xuanziyang@huawei.com>,
syzbot+9981a614060dcee6eeca@syzkaller.appspotmail.com,
Oleksij Rempel <o.rempel@pengutronix.de>,
Marc Kleine-Budde <mkl@pengutronix.de>
Subject: [PATCH net 1/5] can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate
Date: Thu, 2 Feb 2023 10:41:31 +0100 [thread overview]
Message-ID: <20230202094135.2293939-2-mkl@pengutronix.de> (raw)
In-Reply-To: <20230202094135.2293939-1-mkl@pengutronix.de>
From: Ziyang Xuan <william.xuanziyang@huawei.com>
The conclusion "j1939_session_deactivate() should be called with a
session ref-count of at least 2" is incorrect. In some concurrent
scenarios, j1939_session_deactivate can be called with the session
ref-count less than 2. But there is not any problem because it
will check the session active state before session putting in
j1939_session_deactivate_locked().
Here is the concurrent scenario of the problem reported by syzbot
and my reproduction log.
cpu0 cpu1
j1939_xtp_rx_eoma
j1939_xtp_rx_abort_one
j1939_session_get_by_addr [kref == 2]
j1939_session_get_by_addr [kref == 3]
j1939_session_deactivate [kref == 2]
j1939_session_put [kref == 1]
j1939_session_completed
j1939_session_deactivate
WARN_ON_ONCE(kref < 2)
=====================================================
WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70
CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
RIP: 0010:j1939_session_deactivate+0x5f/0x70
Call Trace:
j1939_session_deactivate_activate_next+0x11/0x28
j1939_xtp_rx_eoma+0x12a/0x180
j1939_tp_recv+0x4a2/0x510
j1939_can_recv+0x226/0x380
can_rcv_filter+0xf8/0x220
can_receive+0x102/0x220
? process_backlog+0xf0/0x2c0
can_rcv+0x53/0xf0
__netif_receive_skb_one_core+0x67/0x90
? process_backlog+0x97/0x2c0
__netif_receive_skb+0x22/0x80
Fixes: 0c71437dd50d ("can: j1939: j1939_session_deactivate(): clarify lifetime of session object")
Reported-by: syzbot+9981a614060dcee6eeca@syzkaller.appspotmail.com
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/all/20210906094200.95868-1-william.xuanziyang@huawei.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
net/can/j1939/transport.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
index 5c722b55fe23..fce9b9ebf13f 100644
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1092,10 +1092,6 @@ static bool j1939_session_deactivate(struct j1939_session *session)
bool active;
j1939_session_list_lock(priv);
- /* This function should be called with a session ref-count of at
- * least 2.
- */
- WARN_ON_ONCE(kref_read(&session->kref) < 2);
active = j1939_session_deactivate_locked(session);
j1939_session_list_unlock(priv);
base-commit: 917d5e04d4dd2bbbf36fc6976ba442e284ccc42d
--
2.39.1
next prev parent reply other threads:[~2023-02-02 9:41 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-02 9:41 [PATCH net 0/5] pull-request: can 2023-02-02 Marc Kleine-Budde
2023-02-02 9:41 ` Marc Kleine-Budde [this message]
2023-02-02 20:00 ` [PATCH net 1/5] can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate patchwork-bot+netdevbpf
2023-02-02 9:41 ` [PATCH net 2/5] can: raw: fix CAN FD frame transmissions over CAN XL devices Marc Kleine-Budde
2023-02-02 12:43 ` Oliver Hartkopp
2023-02-02 13:10 ` Marc Kleine-Budde
2023-02-02 13:47 ` Oliver Hartkopp
2023-02-03 9:12 ` Oliver Hartkopp
2023-02-02 9:41 ` [PATCH net 3/5] can: isotp: handle wait_event_interruptible() return values Marc Kleine-Budde
2023-02-02 9:41 ` [PATCH net 4/5] can: isotp: split tx timer into transmission and timeout Marc Kleine-Budde
2023-02-02 9:41 ` [PATCH net 5/5] can: mcp251xfd: mcp251xfd_ring_set_ringparam(): assign missing tx_obj_num_coalesce_irq Marc Kleine-Budde
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230202094135.2293939-2-mkl@pengutronix.de \
--to=mkl@pengutronix.de \
--cc=davem@davemloft.net \
--cc=kernel@pengutronix.de \
--cc=kuba@kernel.org \
--cc=linux-can@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=o.rempel@pengutronix.de \
--cc=syzbot+9981a614060dcee6eeca@syzkaller.appspotmail.com \
--cc=william.xuanziyang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.