Netdev Archive on lore.kernel.org
 help / color / Atom feed
* pull-request: can 2019-12-03
@ 2019-12-03 10:46 Marc Kleine-Budde
  2019-12-03 10:46 ` [PATCH 1/6] MAINTAINERS: add fragment for xilinx CAN driver Marc Kleine-Budde
                   ` (6 more replies)
  0 siblings, 7 replies; 10+ messages in thread
From: Marc Kleine-Budde @ 2019-12-03 10:46 UTC (permalink / raw)
  To: netdev; +Cc: davem, linux-can, kernel

Hello David,

this is a pull request of 6 patches for net/master.

The first two patches are against the MAINTAINERS file and adds Appana
Durga Kedareswara rao as maintainer for the xilinx-can driver and Sriram
Dash for the m_can (mmio) driver.

The next patch is by Jouni Hogander and fixes a use-after-free in the
slcan driver.

Johan Hovold's patch for the ucan driver fixes the non-atomic allocation
in the completion handler.

The last two patches target the xilinx-can driver. The first one is by
Venkatesh Yadav Abbarapu and skips the error message on deferred probe,
the second one is by Srinivas Neeli and fixes the usage of the skb after
can_put_echo_skb().

regards,
Marc

---

The following changes since commit 040b5cfbcefa263ccf2c118c4938308606bb7ed8:

  Fixed updating of ethertype in function skb_mpls_pop (2019-12-02 13:03:50 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can.git tags/linux-can-fixes-for-5.5-20191203

for you to fetch changes up to 3d3c817c3a409ba51ad6e44dd8fde4cfc07c93fe:

  can: xilinx_can: Fix usage of skb memory (2019-12-03 11:15:08 +0100)

----------------------------------------------------------------
linux-can-fixes-for-5.5-20191203

----------------------------------------------------------------
Appana Durga Kedareswara rao (1):
      MAINTAINERS: add fragment for xilinx CAN driver

Johan Hovold (1):
      can: ucan: fix non-atomic allocation in completion handler

Jouni Hogander (1):
      can: slcan: Fix use-after-free Read in slcan_open

Srinivas Neeli (1):
      can: xilinx_can: Fix usage of skb memory

Sriram Dash (1):
      MAINTAINERS: add myself as maintainer of MCAN MMIO device driver

Venkatesh Yadav Abbarapu (1):
      can: xilinx_can: skip error message on deferred probe

 MAINTAINERS                  | 17 +++++++++++++++++
 drivers/net/can/slcan.c      |  1 +
 drivers/net/can/usb/ucan.c   |  2 +-
 drivers/net/can/xilinx_can.c | 28 +++++++++++++++-------------
 4 files changed, 34 insertions(+), 14 deletions(-)



^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 1/6] MAINTAINERS: add fragment for xilinx CAN driver
  2019-12-03 10:46 pull-request: can 2019-12-03 Marc Kleine-Budde
@ 2019-12-03 10:46 ` Marc Kleine-Budde
  2019-12-03 10:46 ` [PATCH 2/6] MAINTAINERS: add myself as maintainer of MCAN MMIO device driver Marc Kleine-Budde
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 10+ messages in thread
From: Marc Kleine-Budde @ 2019-12-03 10:46 UTC (permalink / raw)
  To: netdev
  Cc: davem, linux-can, kernel, Appana Durga Kedareswara rao,
	Marc Kleine-Budde

From: Appana Durga Kedareswara rao <appana.durga.rao@xilinx.com>

Added entry for xilinx CAN driver.

Signed-off-by: Appana Durga Kedareswara rao <appana.durga.rao@xilinx.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 MAINTAINERS | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 8608724835dd..d700e27ebf41 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -18103,6 +18103,14 @@ M:	Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
 S:	Maintained
 F:	drivers/net/ethernet/xilinx/xilinx_axienet*
 
+XILINX CAN DRIVER
+M:	Appana Durga Kedareswara rao <appana.durga.rao@xilinx.com>
+R:	Naga Sureshkumar Relli <naga.sureshkumar.relli@xilinx.com>
+L:	linux-can@vger.kernel.org
+S:	Maintained
+F:	Documentation/devicetree/bindings/net/can/xilinx_can.txt
+F:	drivers/net/can/xilinx_can.c
+
 XILINX UARTLITE SERIAL DRIVER
 M:	Peter Korsgaard <jacmet@sunsite.dk>
 L:	linux-serial@vger.kernel.org
-- 
2.24.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 2/6] MAINTAINERS: add myself as maintainer of MCAN MMIO device driver
  2019-12-03 10:46 pull-request: can 2019-12-03 Marc Kleine-Budde
  2019-12-03 10:46 ` [PATCH 1/6] MAINTAINERS: add fragment for xilinx CAN driver Marc Kleine-Budde
@ 2019-12-03 10:46 ` Marc Kleine-Budde
  2019-12-03 10:47 ` [PATCH 3/6] can: slcan: Fix use-after-free Read in slcan_open Marc Kleine-Budde
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 10+ messages in thread
From: Marc Kleine-Budde @ 2019-12-03 10:46 UTC (permalink / raw)
  To: netdev; +Cc: davem, linux-can, kernel, Sriram Dash, Marc Kleine-Budde

From: Sriram Dash <sriram.dash@samsung.com>

Since we are actively working on MMIO MCAN device driver,
as discussed with Marc, I am adding myself as a maintainer.

Signed-off-by: Sriram Dash <sriram.dash@samsung.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 MAINTAINERS | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index d700e27ebf41..ecc354f4b692 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -10094,6 +10094,15 @@ W:	https://linuxtv.org
 S:	Maintained
 F:	drivers/media/radio/radio-maxiradio*
 
+MCAN MMIO DEVICE DRIVER
+M:	Sriram Dash <sriram.dash@samsung.com>
+L:	linux-can@vger.kernel.org
+S:	Maintained
+F:	Documentation/devicetree/bindings/net/can/m_can.txt
+F:	drivers/net/can/m_can/m_can.c
+F:	drivers/net/can/m_can/m_can.h
+F:	drivers/net/can/m_can/m_can_platform.c
+
 MCP4018 AND MCP4531 MICROCHIP DIGITAL POTENTIOMETER DRIVERS
 M:	Peter Rosin <peda@axentia.se>
 L:	linux-iio@vger.kernel.org
-- 
2.24.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 3/6] can: slcan: Fix use-after-free Read in slcan_open
  2019-12-03 10:46 pull-request: can 2019-12-03 Marc Kleine-Budde
  2019-12-03 10:46 ` [PATCH 1/6] MAINTAINERS: add fragment for xilinx CAN driver Marc Kleine-Budde
  2019-12-03 10:46 ` [PATCH 2/6] MAINTAINERS: add myself as maintainer of MCAN MMIO device driver Marc Kleine-Budde
@ 2019-12-03 10:47 ` Marc Kleine-Budde
  2019-12-03 11:21   ` Oliver Hartkopp
  2019-12-03 10:47 ` [PATCH 4/6] can: ucan: fix non-atomic allocation in completion handler Marc Kleine-Budde
                   ` (3 subsequent siblings)
  6 siblings, 1 reply; 10+ messages in thread
From: Marc Kleine-Budde @ 2019-12-03 10:47 UTC (permalink / raw)
  To: netdev
  Cc: davem, linux-can, kernel, Jouni Hogander, Wolfgang Grandegger,
	Marc Kleine-Budde, Oliver Hartkopp, Lukas Bulwahn, linux-stable

From: Jouni Hogander <jouni.hogander@unikie.com>

Slcan_open doesn't clean-up device which registration failed from the
slcan_devs device list. On next open this list is iterated and freed
device is accessed. Fix this by calling slc_free_netdev in error path.

Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
trace from the Syzbot slip report:

__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
sl_sync drivers/net/slip/slip.c:725 [inline]
slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
tiocsetd drivers/tty/tty_io.c:2334 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path")
Cc: Wolfgang Grandegger <wg@grandegger.com>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: David Miller <davem@davemloft.net>
Cc: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Cc: linux-stable <stable@vger.kernel.org> # >= v5.4
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/slcan.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c
index 0a9f42e5fedf..2e57122f02fb 100644
--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -617,6 +617,7 @@ static int slcan_open(struct tty_struct *tty)
 	sl->tty = NULL;
 	tty->disc_data = NULL;
 	clear_bit(SLF_INUSE, &sl->flags);
+	slc_free_netdev(sl->dev);
 	free_netdev(sl->dev);
 
 err_exit:
-- 
2.24.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 4/6] can: ucan: fix non-atomic allocation in completion handler
  2019-12-03 10:46 pull-request: can 2019-12-03 Marc Kleine-Budde
                   ` (2 preceding siblings ...)
  2019-12-03 10:47 ` [PATCH 3/6] can: slcan: Fix use-after-free Read in slcan_open Marc Kleine-Budde
@ 2019-12-03 10:47 ` Marc Kleine-Budde
  2019-12-03 10:47 ` [PATCH 5/6] can: xilinx_can: skip error message on deferred probe Marc Kleine-Budde
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 10+ messages in thread
From: Marc Kleine-Budde @ 2019-12-03 10:47 UTC (permalink / raw)
  To: netdev
  Cc: davem, linux-can, kernel, Johan Hovold, stable,
	Jakob Unterwurzacher, Martin Elshuber, Philipp Tomsich,
	Marc Kleine-Budde

From: Johan Hovold <johan@kernel.org>

USB completion handlers are called in atomic context and must
specifically not allocate memory using GFP_KERNEL.

Fixes: 9f2d3eae88d2 ("can: ucan: add driver for Theobroma Systems UCAN devices")
Cc: stable <stable@vger.kernel.org>     # 4.19
Cc: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
Cc: Martin Elshuber <martin.elshuber@theobroma-systems.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/usb/ucan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c
index 04aac3bb54ef..81e942f713e6 100644
--- a/drivers/net/can/usb/ucan.c
+++ b/drivers/net/can/usb/ucan.c
@@ -792,7 +792,7 @@ static void ucan_read_bulk_callback(struct urb *urb)
 			  up);
 
 	usb_anchor_urb(urb, &up->rx_urbs);
-	ret = usb_submit_urb(urb, GFP_KERNEL);
+	ret = usb_submit_urb(urb, GFP_ATOMIC);
 
 	if (ret < 0) {
 		netdev_err(up->netdev,
-- 
2.24.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 5/6] can: xilinx_can: skip error message on deferred probe
  2019-12-03 10:46 pull-request: can 2019-12-03 Marc Kleine-Budde
                   ` (3 preceding siblings ...)
  2019-12-03 10:47 ` [PATCH 4/6] can: ucan: fix non-atomic allocation in completion handler Marc Kleine-Budde
@ 2019-12-03 10:47 ` Marc Kleine-Budde
  2019-12-03 10:47 ` [PATCH 6/6] can: xilinx_can: Fix usage of skb memory Marc Kleine-Budde
  2019-12-03 19:14 ` pull-request: can 2019-12-03 David Miller
  6 siblings, 0 replies; 10+ messages in thread
From: Marc Kleine-Budde @ 2019-12-03 10:47 UTC (permalink / raw)
  To: netdev
  Cc: davem, linux-can, kernel, Venkatesh Yadav Abbarapu,
	Srinivas Neeli, Michal Simek, Appana Durga Kedareswara Rao,
	Marc Kleine-Budde

From: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@xilinx.com>

When the CAN bus clock is provided from the clock wizard, clock wizard
driver may not be available when can driver probes resulting to the
error message "bus clock not found error".

As this error message is not very useful to the end user, skip printing
in the case of deferred probe.

Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@xilinx.com>
Signed-off-by: Srinivas Neeli <srinivas.neeli@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Appana Durga Kedareswara Rao <appana.durga.rao@xilinx.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/xilinx_can.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c
index 4a96e2dd7d77..c5f05b994435 100644
--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -1772,7 +1772,8 @@ static int xcan_probe(struct platform_device *pdev)
 
 	priv->bus_clk = devm_clk_get(&pdev->dev, devtype->bus_clk_name);
 	if (IS_ERR(priv->bus_clk)) {
-		dev_err(&pdev->dev, "bus clock not found\n");
+		if (PTR_ERR(priv->bus_clk) != -EPROBE_DEFER)
+			dev_err(&pdev->dev, "bus clock not found\n");
 		ret = PTR_ERR(priv->bus_clk);
 		goto err_free;
 	}
-- 
2.24.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 6/6] can: xilinx_can: Fix usage of skb memory
  2019-12-03 10:46 pull-request: can 2019-12-03 Marc Kleine-Budde
                   ` (4 preceding siblings ...)
  2019-12-03 10:47 ` [PATCH 5/6] can: xilinx_can: skip error message on deferred probe Marc Kleine-Budde
@ 2019-12-03 10:47 ` Marc Kleine-Budde
  2019-12-03 19:14 ` pull-request: can 2019-12-03 David Miller
  6 siblings, 0 replies; 10+ messages in thread
From: Marc Kleine-Budde @ 2019-12-03 10:47 UTC (permalink / raw)
  To: netdev
  Cc: davem, linux-can, kernel, Srinivas Neeli,
	Appana Durga Kedareswara Rao, Marc Kleine-Budde

From: Srinivas Neeli <srinivas.neeli@xilinx.com>

As per linux can framework, driver not allowed to touch the skb memory
after can_put_echo_skb() call.
This patch fixes the same.
https://www.spinics.net/lists/linux-can/msg02199.html

Signed-off-by: Srinivas Neeli <srinivas.neeli@xilinx.com>
Reviewed-by: Appana Durga Kedareswara Rao <appana.durga.rao@xilinx.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/xilinx_can.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c
index c5f05b994435..464af939cd8a 100644
--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -542,16 +542,17 @@ static int xcan_do_set_mode(struct net_device *ndev, enum can_mode mode)
 
 /**
  * xcan_write_frame - Write a frame to HW
- * @priv:		Driver private data structure
+ * @ndev:		Pointer to net_device structure
  * @skb:		sk_buff pointer that contains data to be Txed
  * @frame_offset:	Register offset to write the frame to
  */
-static void xcan_write_frame(struct xcan_priv *priv, struct sk_buff *skb,
+static void xcan_write_frame(struct net_device *ndev, struct sk_buff *skb,
 			     int frame_offset)
 {
 	u32 id, dlc, data[2] = {0, 0};
 	struct canfd_frame *cf = (struct canfd_frame *)skb->data;
 	u32 ramoff, dwindex = 0, i;
+	struct xcan_priv *priv = netdev_priv(ndev);
 
 	/* Watch carefully on the bit sequence */
 	if (cf->can_id & CAN_EFF_FLAG) {
@@ -587,6 +588,14 @@ static void xcan_write_frame(struct xcan_priv *priv, struct sk_buff *skb,
 		dlc |= XCAN_DLCR_EDL_MASK;
 	}
 
+	if (!(priv->devtype.flags & XCAN_FLAG_TX_MAILBOXES) &&
+	    (priv->devtype.flags & XCAN_FLAG_TXFEMP))
+		can_put_echo_skb(skb, ndev, priv->tx_head % priv->tx_max);
+	else
+		can_put_echo_skb(skb, ndev, 0);
+
+	priv->tx_head++;
+
 	priv->write_reg(priv, XCAN_FRAME_ID_OFFSET(frame_offset), id);
 	/* If the CAN frame is RTR frame this write triggers transmission
 	 * (not on CAN FD)
@@ -638,13 +647,9 @@ static int xcan_start_xmit_fifo(struct sk_buff *skb, struct net_device *ndev)
 			XCAN_SR_TXFLL_MASK))
 		return -ENOSPC;
 
-	can_put_echo_skb(skb, ndev, priv->tx_head % priv->tx_max);
-
 	spin_lock_irqsave(&priv->tx_lock, flags);
 
-	priv->tx_head++;
-
-	xcan_write_frame(priv, skb, XCAN_TXFIFO_OFFSET);
+	xcan_write_frame(ndev, skb, XCAN_TXFIFO_OFFSET);
 
 	/* Clear TX-FIFO-empty interrupt for xcan_tx_interrupt() */
 	if (priv->tx_max > 1)
@@ -675,13 +680,9 @@ static int xcan_start_xmit_mailbox(struct sk_buff *skb, struct net_device *ndev)
 		     BIT(XCAN_TX_MAILBOX_IDX)))
 		return -ENOSPC;
 
-	can_put_echo_skb(skb, ndev, 0);
-
 	spin_lock_irqsave(&priv->tx_lock, flags);
 
-	priv->tx_head++;
-
-	xcan_write_frame(priv, skb,
+	xcan_write_frame(ndev, skb,
 			 XCAN_TXMSG_FRAME_OFFSET(XCAN_TX_MAILBOX_IDX));
 
 	/* Mark buffer as ready for transmit */
-- 
2.24.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 3/6] can: slcan: Fix use-after-free Read in slcan_open
  2019-12-03 10:47 ` [PATCH 3/6] can: slcan: Fix use-after-free Read in slcan_open Marc Kleine-Budde
@ 2019-12-03 11:21   ` Oliver Hartkopp
  2019-12-03 11:53     ` Marc Kleine-Budde
  0 siblings, 1 reply; 10+ messages in thread
From: Oliver Hartkopp @ 2019-12-03 11:21 UTC (permalink / raw)
  To: Marc Kleine-Budde, netdev
  Cc: davem, linux-can, kernel, Jouni Hogander, Wolfgang Grandegger,
	Lukas Bulwahn, linux-stable



On 03/12/2019 11.47, Marc Kleine-Budde wrote:
> From: Jouni Hogander <jouni.hogander@unikie.com>
> 
> Slcan_open doesn't clean-up device which registration failed from the
> slcan_devs device list. On next open this list is iterated and freed
> device is accessed. Fix this by calling slc_free_netdev in error path.
> 
> Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
> identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
> trace from the Syzbot slip report:
> 
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x197/0x210 lib/dump_stack.c:118
> print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
> __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
> kasan_report+0x12/0x20 mm/kasan/common.c:634
> __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
> sl_sync drivers/net/slip/slip.c:725 [inline]
> slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
> tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
> tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
> tiocsetd drivers/tty/tty_io.c:2334 [inline]
> tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
> vfs_ioctl fs/ioctl.c:46 [inline]
> file_ioctl fs/ioctl.c:509 [inline]
> do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
> ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
> __do_sys_ioctl fs/ioctl.c:720 [inline]
> __se_sys_ioctl fs/ioctl.c:718 [inline]
> __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
> do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path")
> Cc: Wolfgang Grandegger <wg@grandegger.com>
> Cc: Marc Kleine-Budde <mkl@pengutronix.de>
> Cc: David Miller <davem@davemloft.net>
> Cc: Oliver Hartkopp <socketcan@hartkopp.net>
> Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
> Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
> Cc: linux-stable <stable@vger.kernel.org> # >= v5.4

I think this problem existed from the initial commit in 2010 and is not 
restricted to >= v5.4

Together with commit commit ed50e1600b4483c049 ("slcan: Fix memory leak 
in error path") from Jouni Hogander.

Regards,
Oliver

> Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> ---
>   drivers/net/can/slcan.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c
> index 0a9f42e5fedf..2e57122f02fb 100644
> --- a/drivers/net/can/slcan.c
> +++ b/drivers/net/can/slcan.c
> @@ -617,6 +617,7 @@ static int slcan_open(struct tty_struct *tty)
>   	sl->tty = NULL;
>   	tty->disc_data = NULL;
>   	clear_bit(SLF_INUSE, &sl->flags);
> +	slc_free_netdev(sl->dev);
>   	free_netdev(sl->dev);
>   
>   err_exit:
> 

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 3/6] can: slcan: Fix use-after-free Read in slcan_open
  2019-12-03 11:21   ` Oliver Hartkopp
@ 2019-12-03 11:53     ` Marc Kleine-Budde
  0 siblings, 0 replies; 10+ messages in thread
From: Marc Kleine-Budde @ 2019-12-03 11:53 UTC (permalink / raw)
  To: Oliver Hartkopp, netdev
  Cc: davem, linux-can, kernel, Jouni Hogander, Wolfgang Grandegger,
	Lukas Bulwahn, linux-stable

[-- Attachment #1.1: Type: text/plain, Size: 2739 bytes --]

On 12/3/19 12:21 PM, Oliver Hartkopp wrote:
> 
> 
> On 03/12/2019 11.47, Marc Kleine-Budde wrote:
>> From: Jouni Hogander <jouni.hogander@unikie.com>
>>
>> Slcan_open doesn't clean-up device which registration failed from the
>> slcan_devs device list. On next open this list is iterated and freed
>> device is accessed. Fix this by calling slc_free_netdev in error path.
>>
>> Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
>> identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
>> trace from the Syzbot slip report:
>>
>> __dump_stack lib/dump_stack.c:77 [inline]
>> dump_stack+0x197/0x210 lib/dump_stack.c:118
>> print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
>> __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
>> kasan_report+0x12/0x20 mm/kasan/common.c:634
>> __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
>> sl_sync drivers/net/slip/slip.c:725 [inline]
>> slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
>> tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
>> tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
>> tiocsetd drivers/tty/tty_io.c:2334 [inline]
>> tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
>> vfs_ioctl fs/ioctl.c:46 [inline]
>> file_ioctl fs/ioctl.c:509 [inline]
>> do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
>> ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
>> __do_sys_ioctl fs/ioctl.c:720 [inline]
>> __se_sys_ioctl fs/ioctl.c:718 [inline]
>> __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
>> do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path")
>> Cc: Wolfgang Grandegger <wg@grandegger.com>
>> Cc: Marc Kleine-Budde <mkl@pengutronix.de>
>> Cc: David Miller <davem@davemloft.net>
>> Cc: Oliver Hartkopp <socketcan@hartkopp.net>
>> Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
>> Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
>> Cc: linux-stable <stable@vger.kernel.org> # >= v5.4
> 
> I think this problem existed from the initial commit in 2010 and is not 
> restricted to >= v5.4
> 
> Together with commit commit ed50e1600b4483c049 ("slcan: Fix memory leak 
> in error path") from Jouni Hogander.

Yes, both patches shoud be backported:

ed50e1600b44 slcan: Fix memory leak in error path
9ebd796e2400 can: slcan: Fix use-after-free Read in slcan_open

Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: pull-request: can 2019-12-03
  2019-12-03 10:46 pull-request: can 2019-12-03 Marc Kleine-Budde
                   ` (5 preceding siblings ...)
  2019-12-03 10:47 ` [PATCH 6/6] can: xilinx_can: Fix usage of skb memory Marc Kleine-Budde
@ 2019-12-03 19:14 ` David Miller
  6 siblings, 0 replies; 10+ messages in thread
From: David Miller @ 2019-12-03 19:14 UTC (permalink / raw)
  To: mkl; +Cc: netdev, linux-can, kernel

From: Marc Kleine-Budde <mkl@pengutronix.de>
Date: Tue,  3 Dec 2019 11:46:57 +0100

> this is a pull request of 6 patches for net/master.
> 
> The first two patches are against the MAINTAINERS file and adds Appana
> Durga Kedareswara rao as maintainer for the xilinx-can driver and Sriram
> Dash for the m_can (mmio) driver.
> 
> The next patch is by Jouni Hogander and fixes a use-after-free in the
> slcan driver.
> 
> Johan Hovold's patch for the ucan driver fixes the non-atomic allocation
> in the completion handler.
> 
> The last two patches target the xilinx-can driver. The first one is by
> Venkatesh Yadav Abbarapu and skips the error message on deferred probe,
> the second one is by Srinivas Neeli and fixes the usage of the skb after
> can_put_echo_skb().

Pulled, thanks Marc.

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, back to index

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-03 10:46 pull-request: can 2019-12-03 Marc Kleine-Budde
2019-12-03 10:46 ` [PATCH 1/6] MAINTAINERS: add fragment for xilinx CAN driver Marc Kleine-Budde
2019-12-03 10:46 ` [PATCH 2/6] MAINTAINERS: add myself as maintainer of MCAN MMIO device driver Marc Kleine-Budde
2019-12-03 10:47 ` [PATCH 3/6] can: slcan: Fix use-after-free Read in slcan_open Marc Kleine-Budde
2019-12-03 11:21   ` Oliver Hartkopp
2019-12-03 11:53     ` Marc Kleine-Budde
2019-12-03 10:47 ` [PATCH 4/6] can: ucan: fix non-atomic allocation in completion handler Marc Kleine-Budde
2019-12-03 10:47 ` [PATCH 5/6] can: xilinx_can: skip error message on deferred probe Marc Kleine-Budde
2019-12-03 10:47 ` [PATCH 6/6] can: xilinx_can: Fix usage of skb memory Marc Kleine-Budde
2019-12-03 19:14 ` pull-request: can 2019-12-03 David Miller

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org
	public-inbox-index netdev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git