linux-can.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Marc Kleine-Budde <mkl@pengutronix.de>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, kuba@kernel.org, linux-can@vger.kernel.org,
	kernel@pengutronix.de, Oliver Hartkopp <socketcan@hartkopp.net>,
	syzbot+381d06e0c8eaacb8706f@syzkaller.appspotmail.com,
	syzbot+d0ddd88c9a7432f041e6@syzkaller.appspotmail.com,
	syzbot+76d62d3b8162883c7d11@syzkaller.appspotmail.com,
	Marc Kleine-Budde <mkl@pengutronix.de>
Subject: [net 6/6] can: af_can: can_rx_unregister(): remove WARN() statement from list operation sanity check
Date: Fri, 27 Nov 2020 11:03:01 +0100	[thread overview]
Message-ID: <20201127100301.512603-7-mkl@pengutronix.de> (raw)
In-Reply-To: <20201127100301.512603-1-mkl@pengutronix.de>

From: Oliver Hartkopp <socketcan@hartkopp.net>

To detect potential bugs in CAN protocol implementations (double removal of
receiver entries) a WARN() statement has been used if no matching list item was
found for removal.

The fault injection issued by syzkaller was able to create a situation where
the closing of a socket runs simultaneously to the notifier call chain for
removing the CAN network device in use.

This case is very unlikely in real life but it doesn't break anything.
Therefore we just replace the WARN() statement with pr_warn() to preserve the
notification for the CAN protocol development.

Reported-by: syzbot+381d06e0c8eaacb8706f@syzkaller.appspotmail.com
Reported-by: syzbot+d0ddd88c9a7432f041e6@syzkaller.appspotmail.com
Reported-by: syzbot+76d62d3b8162883c7d11@syzkaller.appspotmail.com
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Link: https://lore.kernel.org/r/20201126192140.14350-1-socketcan@hartkopp.net
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 net/can/af_can.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/can/af_can.c b/net/can/af_can.c
index 5d124c155904..4c343b43067f 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -541,10 +541,13 @@ void can_rx_unregister(struct net *net, struct net_device *dev, canid_t can_id,
 
 	/* Check for bugs in CAN protocol implementations using af_can.c:
 	 * 'rcv' will be NULL if no matching list item was found for removal.
+	 * As this case may potentially happen when closing a socket while
+	 * the notifier for removing the CAN netdev is running we just print
+	 * a warning here.
 	 */
 	if (!rcv) {
-		WARN(1, "BUG: receive list entry not found for dev %s, id %03X, mask %03X\n",
-		     DNAME(dev), can_id, mask);
+		pr_warn("can: receive list entry not found for dev %s, id %03X, mask %03X\n",
+			DNAME(dev), can_id, mask);
 		goto out;
 	}
 
-- 
2.29.2



  parent reply	other threads:[~2020-11-27 10:04 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-27 10:02 pull-request: can 2020-11-27 Marc Kleine-Budde
2020-11-27 10:02 ` [net 1/6] can: gs_usb: fix endianess problem with candleLight firmware Marc Kleine-Budde
2020-11-27 10:02 ` [net 2/6] can: mcp251xfd: mcp251xfd_probe(): bail out if no IRQ was given Marc Kleine-Budde
2020-11-27 19:15   ` Jakub Kicinski
2020-11-27 10:02 ` [net 3/6] can: m_can: m_can_open(): remove IRQF_TRIGGER_FALLING from request_threaded_irq()'s flags Marc Kleine-Budde
2020-11-27 10:02 ` [net 4/6] can: m_can: fix nominal bitiming tseg2 min for version >= 3.1 Marc Kleine-Budde
2020-11-27 10:03 ` [net 5/6] can: m_can: m_can_dev_setup(): add support for bosch mcan version 3.3.0 Marc Kleine-Budde
2020-11-27 10:03 ` Marc Kleine-Budde [this message]
2020-11-27 19:16 ` pull-request: can 2020-11-27 Jakub Kicinski
2020-11-27 19:20 ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201127100301.512603-7-mkl@pengutronix.de \
    --to=mkl@pengutronix.de \
    --cc=davem@davemloft.net \
    --cc=kernel@pengutronix.de \
    --cc=kuba@kernel.org \
    --cc=linux-can@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=socketcan@hartkopp.net \
    --cc=syzbot+381d06e0c8eaacb8706f@syzkaller.appspotmail.com \
    --cc=syzbot+76d62d3b8162883c7d11@syzkaller.appspotmail.com \
    --cc=syzbot+d0ddd88c9a7432f041e6@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).