All of lore.kernel.org
 help / color / mirror / Atom feed
From: Oleksij Rempel <o.rempel@pengutronix.de>
To: Jiri Pirko <jiri@resnulli.us>
Cc: Dmitry Antipov <dmantipov@yandex.ru>,
	Robin van der Gracht <robin@protonic.nl>,
	Oliver Hartkopp <socketcan@hartkopp.net>,
	Marc Kleine-Budde <mkl@pengutronix.de>,
	linux-can@vger.kernel.org, netdev@vger.kernel.org,
	lvc-project@linuxtesting.org,
	syzbot+d4e8dc385d9258220c31@syzkaller.appspotmail.com
Subject: Re: [PATCH v2] can: fix skb reference counting in j1939_session_new()
Date: Wed, 6 Nov 2024 10:43:04 +0100	[thread overview]
Message-ID: <Zys6KGmEWVnwidLb@pengutronix.de> (raw)
In-Reply-To: <ZypJ4ZnR0JkPedNz@nanopsycho.orion>

On Tue, Nov 05, 2024 at 05:37:53PM +0100, Jiri Pirko wrote:
> Tue, Nov 05, 2024 at 10:48:23AM CET, dmantipov@yandex.ru wrote:
> >Since 'j1939_session_skb_queue()' do an extra 'skb_get()' for each
> >new skb, I assume that the same should be done for an initial one
> 
> It is odd to write "I assume" for fix like this. You should know for
> sure, don't you?

Hm... looks the there is more then one refcounting problem at this
point. skb_queue is set from 3 different paths, with resulting 3 different
refcount states:

j1939_sk_send_loop()
  skb = j1939_sk_alloc_skb() // skb with refcount == 1
  if (!session) {
    session = j1939_tp_send(priv, skb, size)
       ... 
       session = j1939_session_new(priv, skb, size);
          skb_queue_tail(&session->skb_queue, skb); // skb refcount == 1
          
  } else {
    j1939_session_skb_queue(session, skb);
      // here, skb is refcounted
      skb_queue_tail(&session->skb_queue, skb_get(skb)); // skb refcount == 2
  }
  
  // at the end of function, skb refcount == 1 or 2
     
j1939_xtp_rx_rts_session_new()
  j1939_session_fresh_new()
    skb = alloc_skb() // skb with refcount == 1
    session = j1939_session_new(priv, skb, size);
       skb_queue_tail(&session->skb_queue, skb);
    skb_put(skb, size); // skb with refcount == 0

I agree with this patch, but there is missing skb_put() in j1939_sk_send_loop()

> 
> >in 'j1939_session_new()' just to avoid refcount underflow.
> >
> >Reported-by: syzbot+d4e8dc385d9258220c31@syzkaller.appspotmail.com
> >Closes: https://syzkaller.appspot.com/bug?extid=d4e8dc385d9258220c31
> >Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
> >Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
> >---
> >v2: resend after hitting skb refcount underflow once again when looking
> >around https://syzkaller.appspot.com/bug?extid=0e6ddb1ef80986bdfe64
> >---
> > net/can/j1939/transport.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> >diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
> >index 319f47df3330..95f7a7e65a73 100644
> >--- a/net/can/j1939/transport.c
> >+++ b/net/can/j1939/transport.c
> >@@ -1505,7 +1505,7 @@ static struct j1939_session *j1939_session_new(struct j1939_priv *priv,
> > 	session->state = J1939_SESSION_NEW;
> > 
> > 	skb_queue_head_init(&session->skb_queue);
> >-	skb_queue_tail(&session->skb_queue, skb);
> >+	skb_queue_tail(&session->skb_queue, skb_get(skb));
> > 
> > 	skcb = j1939_skb_to_cb(skb);
> > 	memcpy(&session->skcb, skcb, sizeof(session->skcb));
> >-- 
> >2.47.0
> >
> >
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

  reply	other threads:[~2024-11-06  9:43 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-05  9:48 [PATCH v2] can: fix skb reference counting in j1939_session_new() Dmitry Antipov
2024-11-05 16:37 ` Jiri Pirko
2024-11-06  9:43   ` Oleksij Rempel [this message]
2024-11-06 11:05     ` Dmitry Antipov
2024-11-29 13:25     ` Oleksij Rempel
2024-11-06 11:03   ` Dmitry Antipov
2024-11-06 14:42     ` Jiri Pirko
2024-11-29 12:55 ` Oleksij Rempel
2024-11-29 12:59   ` Marc Kleine-Budde
2024-11-29 13:05     ` Marc Kleine-Budde
2024-11-29 13:22       ` Oleksij Rempel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Zys6KGmEWVnwidLb@pengutronix.de \
    --to=o.rempel@pengutronix.de \
    --cc=dmantipov@yandex.ru \
    --cc=jiri@resnulli.us \
    --cc=linux-can@vger.kernel.org \
    --cc=lvc-project@linuxtesting.org \
    --cc=mkl@pengutronix.de \
    --cc=netdev@vger.kernel.org \
    --cc=robin@protonic.nl \
    --cc=socketcan@hartkopp.net \
    --cc=syzbot+d4e8dc385d9258220c31@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.