From: Petr Vorel <pvorel@suse.cz>
To: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
Cc: dario.binacchi@amarulasolutions.com,
linux-serial@vger.kernel.org, linux-kernel@vger.kernel.org,
Richard Palethorpe <richard.palethorpe@suse.com>,
Petr Vorel <petr.vorel@suse.com>,
Wolfgang Grandegger <wg@grandegger.com>,
Marc Kleine-Budde <mkl@pengutronix.de>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
linux-can@vger.kernel.org, netdev@vger.kernel.org,
stable@vger.kernel.org, Max Staudt <max@enpas.org>,
ltp@lists.linux.it
Subject: Re: [PATCH] can: slcan: fix freed work crash
Date: Thu, 1 Dec 2022 11:13:35 +0100 [thread overview]
Message-ID: <Y4h+T54ghKFPmkqO@pevik> (raw)
In-Reply-To: <20221201073426.17328-1-jirislaby@kernel.org>
Hi all,
Cc LTP mailing list.
Jiri, thanks a lot for quick fix!
Kind regards,
Petr
> The LTP test pty03 is causing a crash in slcan:
> BUG: kernel NULL pointer dereference, address: 0000000000000008
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP NOPTI
> CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
> Workqueue: 0x0 (events)
> RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185)
> Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e
> RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046
> RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968
> RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0
> RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734
> R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000
> R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0
> FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0
> Call Trace:
> <TASK>
> worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436)
> kthread (/home/rich/kernel/linux/kernel/kthread.c:376)
> ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312)
> Apparently, the slcan's tx_work is freed while being scheduled. While
> slcan_netdev_close() (netdev side) calls flush_work(&sl->tx_work),
> slcan_close() (tty side) does not. So when the netdev is never set UP,
> but the tty is stuffed with bytes and forced to wakeup write, the work
> is scheduled, but never flushed.
> So add an additional flush_work() to slcan_close() to be sure the work
> is flushed under all circumstances.
> The Fixes commit below moved flush_work() from slcan_close() to
> slcan_netdev_close(). What was the rationale behind it? Maybe we can
> drop the one in slcan_netdev_close()?
> I see the same pattern in can327. So it perhaps needs the very same fix.
> Fixes: cfcb4465e992 ("can: slcan: remove legacy infrastructure")
> Link: https://bugzilla.suse.com/show_bug.cgi?id=1205597
> Reported-by: Richard Palethorpe <richard.palethorpe@suse.com>
> Tested-by: Petr Vorel <petr.vorel@suse.com>
> Cc: Dario Binacchi <dario.binacchi@amarulasolutions.com>
> Cc: Wolfgang Grandegger <wg@grandegger.com>
> Cc: Marc Kleine-Budde <mkl@pengutronix.de>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: linux-can@vger.kernel.org
> Cc: netdev@vger.kernel.org
> Cc: stable@vger.kernel.org
> Cc: Max Staudt <max@enpas.org>
> Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
> ---
> drivers/net/can/slcan/slcan-core.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
> diff --git a/drivers/net/can/slcan/slcan-core.c b/drivers/net/can/slcan/slcan-core.c
> index fbb34139daa1..f4db77007c13 100644
> --- a/drivers/net/can/slcan/slcan-core.c
> +++ b/drivers/net/can/slcan/slcan-core.c
> @@ -864,12 +864,14 @@ static void slcan_close(struct tty_struct *tty)
> {
> struct slcan *sl = (struct slcan *)tty->disc_data;
> - /* unregister_netdev() calls .ndo_stop() so we don't have to.
> - * Our .ndo_stop() also flushes the TTY write wakeup handler,
> - * so we can safely set sl->tty = NULL after this.
> - */
> unregister_candev(sl->dev);
> + /*
> + * The netdev needn't be UP (so .ndo_stop() is not called). Hence make
> + * sure this is not running before freeing it up.
> + */
> + flush_work(&sl->tx_work);
> +
> /* Mark channel as dead */
> spin_lock_bh(&sl->lock);
> tty->disc_data = NULL;
WARNING: multiple messages have this Message-ID (diff)
From: Petr Vorel <pvorel@suse.cz>
To: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, linux-can@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Petr Vorel <petr.vorel@suse.com>, Max Staudt <max@enpas.org>,
Eric Dumazet <edumazet@google.com>,
Marc Kleine-Budde <mkl@pengutronix.de>,
ltp@lists.linux.it, linux-serial@vger.kernel.org,
Jakub Kicinski <kuba@kernel.org>,
dario.binacchi@amarulasolutions.com,
"David S. Miller" <davem@davemloft.net>,
Wolfgang Grandegger <wg@grandegger.com>,
Richard Palethorpe <richard.palethorpe@suse.com>
Subject: Re: [LTP] [PATCH] can: slcan: fix freed work crash
Date: Thu, 1 Dec 2022 11:13:35 +0100 [thread overview]
Message-ID: <Y4h+T54ghKFPmkqO@pevik> (raw)
In-Reply-To: <20221201073426.17328-1-jirislaby@kernel.org>
Hi all,
Cc LTP mailing list.
Jiri, thanks a lot for quick fix!
Kind regards,
Petr
> The LTP test pty03 is causing a crash in slcan:
> BUG: kernel NULL pointer dereference, address: 0000000000000008
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP NOPTI
> CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
> Workqueue: 0x0 (events)
> RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185)
> Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e
> RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046
> RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968
> RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0
> RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734
> R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000
> R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0
> FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0
> Call Trace:
> <TASK>
> worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436)
> kthread (/home/rich/kernel/linux/kernel/kthread.c:376)
> ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312)
> Apparently, the slcan's tx_work is freed while being scheduled. While
> slcan_netdev_close() (netdev side) calls flush_work(&sl->tx_work),
> slcan_close() (tty side) does not. So when the netdev is never set UP,
> but the tty is stuffed with bytes and forced to wakeup write, the work
> is scheduled, but never flushed.
> So add an additional flush_work() to slcan_close() to be sure the work
> is flushed under all circumstances.
> The Fixes commit below moved flush_work() from slcan_close() to
> slcan_netdev_close(). What was the rationale behind it? Maybe we can
> drop the one in slcan_netdev_close()?
> I see the same pattern in can327. So it perhaps needs the very same fix.
> Fixes: cfcb4465e992 ("can: slcan: remove legacy infrastructure")
> Link: https://bugzilla.suse.com/show_bug.cgi?id=1205597
> Reported-by: Richard Palethorpe <richard.palethorpe@suse.com>
> Tested-by: Petr Vorel <petr.vorel@suse.com>
> Cc: Dario Binacchi <dario.binacchi@amarulasolutions.com>
> Cc: Wolfgang Grandegger <wg@grandegger.com>
> Cc: Marc Kleine-Budde <mkl@pengutronix.de>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: linux-can@vger.kernel.org
> Cc: netdev@vger.kernel.org
> Cc: stable@vger.kernel.org
> Cc: Max Staudt <max@enpas.org>
> Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
> ---
> drivers/net/can/slcan/slcan-core.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
> diff --git a/drivers/net/can/slcan/slcan-core.c b/drivers/net/can/slcan/slcan-core.c
> index fbb34139daa1..f4db77007c13 100644
> --- a/drivers/net/can/slcan/slcan-core.c
> +++ b/drivers/net/can/slcan/slcan-core.c
> @@ -864,12 +864,14 @@ static void slcan_close(struct tty_struct *tty)
> {
> struct slcan *sl = (struct slcan *)tty->disc_data;
> - /* unregister_netdev() calls .ndo_stop() so we don't have to.
> - * Our .ndo_stop() also flushes the TTY write wakeup handler,
> - * so we can safely set sl->tty = NULL after this.
> - */
> unregister_candev(sl->dev);
> + /*
> + * The netdev needn't be UP (so .ndo_stop() is not called). Hence make
> + * sure this is not running before freeing it up.
> + */
> + flush_work(&sl->tx_work);
> +
> /* Mark channel as dead */
> spin_lock_bh(&sl->lock);
> tty->disc_data = NULL;
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2022-12-01 10:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-01 7:34 [PATCH] can: slcan: fix freed work crash Jiri Slaby (SUSE)
2022-12-01 10:13 ` Petr Vorel [this message]
2022-12-01 10:13 ` [LTP] " Petr Vorel
2022-12-01 18:52 ` Max Staudt
2022-12-01 18:52 ` [LTP] " Max Staudt
2022-12-02 12:14 ` Marc Kleine-Budde
2022-12-02 12:14 ` [LTP] " Marc Kleine-Budde
2022-12-02 15:27 ` Marc Kleine-Budde
2022-12-02 15:32 ` Max Staudt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y4h+T54ghKFPmkqO@pevik \
--to=pvorel@suse.cz \
--cc=dario.binacchi@amarulasolutions.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jirislaby@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-can@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=max@enpas.org \
--cc=mkl@pengutronix.de \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=petr.vorel@suse.com \
--cc=richard.palethorpe@suse.com \
--cc=stable@vger.kernel.org \
--cc=wg@grandegger.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.