* [BACKPORT stable Linux-5.10.y 1/2] can: isotp: prevent race between isotp_bind() and isotp_setsockopt()
@ 2022-02-16 6:31 Oliver Hartkopp
2022-02-16 6:31 ` [BACKPORT stable Linux-5.10.y 2/2] can: isotp: add SF_BROADCAST support for functional addressing Oliver Hartkopp
0 siblings, 1 reply; 3+ messages in thread
From: Oliver Hartkopp @ 2022-02-16 6:31 UTC (permalink / raw)
To: gregkh, stable
Cc: Oliver Hartkopp, Norbert Slusarek, Thadeu Lima de Souza Cascardo,
Marc Kleine-Budde
Upstream commit 2b17c400aeb44daf041627722581ade527bb3c1d
The fixes tag of the uptream patch points to commit 921ca574cd38 ("can:
isotp: add SF_BROADCAST support for functional addressing") which showed
up in Linux 5.11 but the described issue already existed in Linux 5.10.
Norbert Slusarek writes:
A race condition was found in isotp_setsockopt() which allows to
change socket options after the socket was bound.
For the specific case of SF_BROADCAST support, this might lead to possible
use-after-free because can_rx_unregister() is not called.
Checking for the flag under the socket lock in isotp_bind() and taking
the lock in isotp_setsockopt() fixes the issue.
Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol")
Link: https://lore.kernel.org/r/trinity-e6ae9efa-9afb-4326-84c0-f3609b9b8168-1620773528307@3c-app-gmx-bs06
Reported-by: Norbert Slusarek <nslusarek@gmx.net>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Norbert Slusarek <nslusarek@gmx.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
---
net/can/isotp.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/net/can/isotp.c b/net/can/isotp.c
index 37db4d232313..3f11d2b314b6 100644
--- a/net/can/isotp.c
+++ b/net/can/isotp.c
@@ -1191,20 +1191,17 @@ static int isotp_getname(struct socket *sock, struct sockaddr *uaddr, int peer)
addr->can_addr.tp.tx_id = so->txid;
return ISOTP_MIN_NAMELEN;
}
-static int isotp_setsockopt(struct socket *sock, int level, int optname,
+static int isotp_setsockopt_locked(struct socket *sock, int level, int optname,
sockptr_t optval, unsigned int optlen)
{
struct sock *sk = sock->sk;
struct isotp_sock *so = isotp_sk(sk);
int ret = 0;
- if (level != SOL_CAN_ISOTP)
- return -EINVAL;
-
if (so->bound)
return -EISCONN;
switch (optname) {
case CAN_ISOTP_OPTS:
@@ -1275,10 +1272,26 @@ static int isotp_setsockopt(struct socket *sock, int level, int optname,
}
return ret;
}
+static int isotp_setsockopt(struct socket *sock, int level, int optname,
+ sockptr_t optval, unsigned int optlen)
+
+{
+ struct sock *sk = sock->sk;
+ int ret;
+
+ if (level != SOL_CAN_ISOTP)
+ return -EINVAL;
+
+ lock_sock(sk);
+ ret = isotp_setsockopt_locked(sock, level, optname, optval, optlen);
+ release_sock(sk);
+ return ret;
+}
+
static int isotp_getsockopt(struct socket *sock, int level, int optname,
char __user *optval, int __user *optlen)
{
struct sock *sk = sock->sk;
struct isotp_sock *so = isotp_sk(sk);
--
2.30.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [BACKPORT stable Linux-5.10.y 2/2] can: isotp: add SF_BROADCAST support for functional addressing
2022-02-16 6:31 [BACKPORT stable Linux-5.10.y 1/2] can: isotp: prevent race between isotp_bind() and isotp_setsockopt() Oliver Hartkopp
@ 2022-02-16 6:31 ` Oliver Hartkopp
2022-02-17 18:58 ` Greg KH
0 siblings, 1 reply; 3+ messages in thread
From: Oliver Hartkopp @ 2022-02-16 6:31 UTC (permalink / raw)
To: gregkh, stable; +Cc: Oliver Hartkopp, Thomas Wagner, Marc Kleine-Budde
Upstream commit 921ca574cd382142add8b12d0a7117f495510de5
The patch was intended for 5.10 but missed the merge window by some days.
This missing patch continously breaks the backport of stable fixes and is
the only missing feature of upstream isotp in Linux 5.10 e.g. for RasPi.
When CAN_ISOTP_SF_BROADCAST is set in the CAN_ISOTP_OPTS flags the CAN_ISOTP
socket is switched into functional addressing mode, where only single frame
(SF) protocol data units can be send on the specified CAN interface and the
given tp.tx_id after bind().
In opposite to normal and extended addressing this socket does not register a
CAN-ID for reception which would be needed for a 1-to-1 ISOTP connection with a
segmented bi-directional data transfer.
Sending SFs on this socket is therefore a TX-only 'broadcast' operation.
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Thomas Wagner <thwa1@web.de>
Link: https://lore.kernel.org/r/20201206144731.4609-1-socketcan@hartkopp.net
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
include/uapi/linux/can/isotp.h | 2 +-
net/can/isotp.c | 50 ++++++++++++++++++++++++----------
2 files changed, 37 insertions(+), 15 deletions(-)
diff --git a/include/uapi/linux/can/isotp.h b/include/uapi/linux/can/isotp.h
index 7793b26aa154..c55935b64ccc 100644
--- a/include/uapi/linux/can/isotp.h
+++ b/include/uapi/linux/can/isotp.h
@@ -133,11 +133,11 @@ struct can_isotp_ll_options {
#define CAN_ISOTP_HALF_DUPLEX 0x040 /* half duplex error state handling */
#define CAN_ISOTP_FORCE_TXSTMIN 0x080 /* ignore stmin from received FC */
#define CAN_ISOTP_FORCE_RXSTMIN 0x100 /* ignore CFs depending on rx stmin */
#define CAN_ISOTP_RX_EXT_ADDR 0x200 /* different rx extended addressing */
#define CAN_ISOTP_WAIT_TX_DONE 0x400 /* wait for tx completion */
-
+#define CAN_ISOTP_SF_BROADCAST 0x800 /* 1-to-N functional addressing */
/* default values */
#define CAN_ISOTP_DEFAULT_FLAGS 0
#define CAN_ISOTP_DEFAULT_EXT_ADDRESS 0x00
diff --git a/net/can/isotp.c b/net/can/isotp.c
index 3f11d2b314b6..d0581dc6a65f 100644
--- a/net/can/isotp.c
+++ b/net/can/isotp.c
@@ -886,10 +886,20 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
if (!size || size > MAX_MSG_LENGTH) {
err = -EINVAL;
goto err_out_drop;
}
+ /* take care of a potential SF_DL ESC offset for TX_DL > 8 */
+ off = (so->tx.ll_dl > CAN_MAX_DLEN) ? 1 : 0;
+
+ /* does the given data fit into a single frame for SF_BROADCAST? */
+ if ((so->opt.flags & CAN_ISOTP_SF_BROADCAST) &&
+ (size > so->tx.ll_dl - SF_PCI_SZ4 - ae - off)) {
+ err = -EINVAL;
+ goto err_out_drop;
+ }
+
err = memcpy_from_msg(so->tx.buf, msg, size);
if (err < 0)
goto err_out_drop;
dev = dev_get_by_index(sock_net(sk), so->ifindex);
@@ -913,13 +923,10 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
so->tx.idx = 0;
cf = (struct canfd_frame *)skb->data;
skb_put_zero(skb, so->ll.mtu);
- /* take care of a potential SF_DL ESC offset for TX_DL > 8 */
- off = (so->tx.ll_dl > CAN_MAX_DLEN) ? 1 : 0;
-
/* check for single frame transmission depending on TX_DL */
if (size <= so->tx.ll_dl - SF_PCI_SZ4 - ae - off) {
/* The message size generally fits into a SingleFrame - good.
*
* SF_DL ESC offset optimization:
@@ -1055,11 +1062,11 @@ static int isotp_release(struct socket *sock)
spin_unlock(&isotp_notifier_lock);
lock_sock(sk);
/* remove current filters & unregister */
- if (so->bound) {
+ if (so->bound && (!(so->opt.flags & CAN_ISOTP_SF_BROADCAST))) {
if (so->ifindex) {
struct net_device *dev;
dev = dev_get_by_index(net, so->ifindex);
if (dev) {
@@ -1095,26 +1102,40 @@ static int isotp_bind(struct socket *sock, struct sockaddr *uaddr, int len)
struct net *net = sock_net(sk);
int ifindex;
struct net_device *dev;
int err = 0;
int notify_enetdown = 0;
+ int do_rx_reg = 1;
if (len < ISOTP_MIN_NAMELEN)
return -EINVAL;
- if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id)
- return -EADDRNOTAVAIL;
-
- if ((addr->can_addr.tp.rx_id | addr->can_addr.tp.tx_id) &
- (CAN_ERR_FLAG | CAN_RTR_FLAG))
+ if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG))
return -EADDRNOTAVAIL;
if (!addr->can_ifindex)
return -ENODEV;
lock_sock(sk);
+ /* do not register frame reception for functional addressing */
+ if (so->opt.flags & CAN_ISOTP_SF_BROADCAST)
+ do_rx_reg = 0;
+
+ /* do not validate rx address for functional addressing */
+ if (do_rx_reg) {
+ if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) {
+ err = -EADDRNOTAVAIL;
+ goto out;
+ }
+
+ if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) {
+ err = -EADDRNOTAVAIL;
+ goto out;
+ }
+ }
+
if (so->bound && addr->can_ifindex == so->ifindex &&
addr->can_addr.tp.rx_id == so->rxid &&
addr->can_addr.tp.tx_id == so->txid)
goto out;
@@ -1136,17 +1157,18 @@ static int isotp_bind(struct socket *sock, struct sockaddr *uaddr, int len)
if (!(dev->flags & IFF_UP))
notify_enetdown = 1;
ifindex = dev->ifindex;
- can_rx_register(net, dev, addr->can_addr.tp.rx_id,
- SINGLE_MASK(addr->can_addr.tp.rx_id), isotp_rcv, sk,
- "isotp", sk);
+ if (do_rx_reg)
+ can_rx_register(net, dev, addr->can_addr.tp.rx_id,
+ SINGLE_MASK(addr->can_addr.tp.rx_id),
+ isotp_rcv, sk, "isotp", sk);
dev_put(dev);
- if (so->bound) {
+ if (so->bound && do_rx_reg) {
/* unregister old filter */
if (so->ifindex) {
dev = dev_get_by_index(net, so->ifindex);
if (dev) {
can_rx_unregister(net, dev, so->rxid,
@@ -1355,11 +1377,11 @@ static void isotp_notify(struct isotp_sock *so, unsigned long msg,
switch (msg) {
case NETDEV_UNREGISTER:
lock_sock(sk);
/* remove current filters & unregister */
- if (so->bound)
+ if (so->bound && (!(so->opt.flags & CAN_ISOTP_SF_BROADCAST)))
can_rx_unregister(dev_net(dev), dev, so->rxid,
SINGLE_MASK(so->rxid),
isotp_rcv, sk);
so->ifindex = 0;
--
2.30.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [BACKPORT stable Linux-5.10.y 2/2] can: isotp: add SF_BROADCAST support for functional addressing
2022-02-16 6:31 ` [BACKPORT stable Linux-5.10.y 2/2] can: isotp: add SF_BROADCAST support for functional addressing Oliver Hartkopp
@ 2022-02-17 18:58 ` Greg KH
0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2022-02-17 18:58 UTC (permalink / raw)
To: Oliver Hartkopp; +Cc: stable, Thomas Wagner, Marc Kleine-Budde
On Wed, Feb 16, 2022 at 07:31:37AM +0100, Oliver Hartkopp wrote:
> Upstream commit 921ca574cd382142add8b12d0a7117f495510de5
>
> The patch was intended for 5.10 but missed the merge window by some days.
> This missing patch continously breaks the backport of stable fixes and is
> the only missing feature of upstream isotp in Linux 5.10 e.g. for RasPi.
>
> When CAN_ISOTP_SF_BROADCAST is set in the CAN_ISOTP_OPTS flags the CAN_ISOTP
> socket is switched into functional addressing mode, where only single frame
> (SF) protocol data units can be send on the specified CAN interface and the
> given tp.tx_id after bind().
>
> In opposite to normal and extended addressing this socket does not register a
> CAN-ID for reception which would be needed for a 1-to-1 ISOTP connection with a
> segmented bi-directional data transfer.
>
> Sending SFs on this socket is therefore a TX-only 'broadcast' operation.
>
> Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
> Signed-off-by: Thomas Wagner <thwa1@web.de>
> Link: https://lore.kernel.org/r/20201206144731.4609-1-socketcan@hartkopp.net
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> ---
> include/uapi/linux/can/isotp.h | 2 +-
> net/can/isotp.c | 50 ++++++++++++++++++++++++----------
> 2 files changed, 37 insertions(+), 15 deletions(-)
Both now queued up, thanks.
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-02-17 18:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-16 6:31 [BACKPORT stable Linux-5.10.y 1/2] can: isotp: prevent race between isotp_bind() and isotp_setsockopt() Oliver Hartkopp
2022-02-16 6:31 ` [BACKPORT stable Linux-5.10.y 2/2] can: isotp: add SF_BROADCAST support for functional addressing Oliver Hartkopp
2022-02-17 18:58 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).