From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D1F8B3F0ABB for ; Thu, 9 Jul 2026 08:36:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783586204; cv=none; b=ciq7tAR3lppu1YbyFVpn/4B9xVEPgsBlP7/N+hGpLAGiZA4KOrgXicziPump3h5mOeqT59824isyWxqqQvkC1oxlzmyXrBQRp7u4w2EHsbc24CkB864ZJi3Sp3uTGaoYOt+KBNdgTtD3XmxTxS5z8nB0T7xEzJ4WBmPTNW2wG48= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783586204; c=relaxed/simple; bh=sDfrnPA6x5ElnQ4oEo/DulL0qX7EijBmskKsc8E7UmU=; h=From:Subject:To:Cc:In-Reply-To:References:Content-Type:Date: Message-Id; b=ca6RnVmfvworokLmkiMqFQpGhua+idcrUxmtl9v6AfGY6ruJBKKRtDyTjpX/W3IeFLt1XygeTYxzjuib9J87n7L/f1+rIn8Nly5Xenj832vT6CWwJRmuGQCkEBwhdzcmu4zUpVdTi5vZmY2fQj9bKWygo9DdWhnkcXUO1DhdruE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=HhN2/4Qp; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="HhN2/4Qp" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4F5B91F000E9; Thu, 9 Jul 2026 08:36:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1783586202; bh=PT2Zn9YOi118eTbCwdAerRdJ5ZQg/MIbtKLWFlEwfEI=; h=From:Subject:Reply-To:To:Cc:In-Reply-To:References:Date; b=HhN2/4QpPCQsmQ/Pm0vAIytGi3X78RKlB4mG+rZCz9vOhRrqRYQp97fiXql50LgHX W9Auzh98Yui1BKQ8/VIhLF8FHK5vqcx0A1LkdKCQLgjs19rEtZa1uov37rhE4FfNao 6PrmdLDzlhR+wIer9qjN1rGASXSI8nZjCpdaJfE3Extz2B6az8PEBmvNb29iJTt1nr bjv+82Mzwrs1Q2CkPBxgbik9ixLeLlaEKpDLfvi7KNclZxG3BFiEk9jhr4b4dk9MwG P4fcjIyk4z19g2NtIIq9K46QXIfETdPO+KXawvWdoKqx8n5WIs2UE1sdX7Iu+OHrQ9 tFmHd4hl1k4DQ== From: sashiko-bot@kernel.org Subject: Re: [PATCH v9 02/10] can: bcm: fix lockless bound/ifindex race and silent RX_SETUP failure Reply-To: sashiko-reviews@lists.linux.dev To: "Oliver Hartkopp" Cc: "Vincent Mailhol" , "Oliver Hartkopp" , linux-can@vger.kernel.org, "Marc Kleine-Budde" , "Oleksij Rempel" In-Reply-To: <20260709-bcm_fixes-v9-2-6eebb78ccfb2@hartkopp.net> References: <20260709-bcm_fixes-v9-0-6eebb78ccfb2@hartkopp.net> <20260709-bcm_fixes-v9-2-6eebb78ccfb2@hartkopp.net> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Date: Thu, 09 Jul 2026 08:36:41 +0000 Message-Id: <20260709083642.4F5B91F000E9@smtp.kernel.org> Precedence: bulk X-Mailing-List: linux-can@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Thank you for your contribution! Sashiko AI review found 4 potential issue(= s) to consider: Pre-existing issues: - [High] Unsafe lockless list traversal and missing memory barriers for tx_= ops and rx_ops lists. - [High] Unbounded allocation of bcm_op structures allows local users to ex= haust kernel memory. - [Medium] bcm_rx_setup() silently fails to resume frame delivery for an up= dated RX operation if the target network device was previously unregistered. - [Medium] Data race on bo->ifindex and bo->bound during NETDEV_DOWN handli= ng risks torn reads and spurious errors. -- --- Patch [2]: [PATCH v9 02/10] can: bcm: fix lockless bound/ifindex race a= nd silent RX_SETUP failure --- commit 48dc89358d05a6bfc0097f061749b853a77c5328 Author: Oliver Hartkopp Subject: can: bcm: fix lockless bound/ifindex race and silent RX_SETUP fail= ure This commit fixes a data race between lockless reads of bo->bound and bo->ifindex in bcm_sendmsg() and locked updates in bcm_notify() and other paths. It also addresses a silent failure in bcm_rx_setup() when the requested target device concurrently disappears. Link: Closes: https://lore.kernel.org/linux-can/CAGp+u1aBK8QVjsvAxM2Ldzep4r= EbsP9x_pV3At4g=3Dh1kVEtyhA@mail.gmail.com/ > diff --git a/net/can/bcm.c b/net/can/bcm.c > --- a/net/can/bcm.c > +++ b/net/can/bcm.c > @@ -1323,6 +1323,11 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_h= ead, struct msghdr *msg, > =20 > op->rx_reg_dev =3D dev; > dev_put(dev); > + } else { > + /* the requested device is gone - do not > + * silently succeed without registering > + */ > + err =3D -ENODEV; > } [Severity: High] This is a pre-existing issue, but does the current iteration logic for bo->tx_ops and bo->rx_ops in bcm_proc_show() risk wild memory accesses or infinite loops? bcm_proc_show() iterates over the operations holding only rcu_read_lock(): net/can/bcm.c:bcm_proc_show() { ... list_for_each_entry_rcu(op, &bo->rx_ops, list) { ... } ... list_for_each_entry(op, &bo->tx_ops, list) { ... } } Meanwhile, bcm_rx_setup() and bcm_tx_setup() insert new elements without an RCU write memory barrier: net/can/bcm.c:bcm_rx_setup() { ... /* add this bcm_op to the list of the rx_ops */ list_add(&op->list, &bo->rx_ops); } Could this allow a local user reading /proc/net/can-bcm to crash the system while operations are concurrently registered? [Severity: High] This isn't a bug introduced by this patch, but is it possible for local users to exhaust kernel memory by creating a large number of BCM operations? In bcm_rx_setup() and bcm_tx_setup(), new operation structures and their associated frame arrays are allocated unboundedly: net/can/bcm.c:bcm_rx_setup() { ... op =3D kzalloc(OPSIZ, GFP_KERNEL); ... op->frames =3D kmalloc_array(msg_head->nframes, op->cfsiz, GFP_KERNEL); } Since these allocations do not appear to enforce any per-socket limit or charge the socket's memory quota (sk_rmem_alloc/sk_wmem_alloc), could an unprivileged user repeatedly call sendmsg() with unique can_ids to trigger an out-of-memory panic? [Severity: Medium] This is a pre-existing issue, but does bcm_rx_setup() silently fail to resume frame delivery for updated RX operations if the target interface was cycled? When an interface is removed, bcm_notify() handles NETDEV_UNREGISTER by unregistering the filter and setting op->rx_reg_dev =3D NULL, but leaves the op in the active bo->rx_ops list: net/can/bcm.c:bcm_rx_unreg() { ... /* mark as removed subscription */ op->rx_reg_dev =3D NULL; } If an RX_SETUP request subsequently attempts to update this existing filter, bcm_rx_setup() skips re-registration: net/can/bcm.c:bcm_rx_setup() { ... /* Only an update -> do not call can_rx_register() */ do_rx_register =3D 0; } Should this logic check if the operation is currently unregistered before clearing do_rx_register? [ ... ] > @@ -1535,7 +1564,12 @@ static void bcm_notify(struct bcm_sock *bo, unsign= ed long msg, > bo->bcm_proc_read =3D NULL; > } > #endif > - bo->bound =3D 0; > + /* Paired with the lockless fast-path check in > + * bcm_sendmsg(); bo->ifindex itself is only ever > + * accessed under lock_sock() so it needs no > + * annotation. > + */ > + WRITE_ONCE(bo->bound, 0); > bo->ifindex =3D 0; > notify_enodev =3D 1; > } [Severity: Medium] This isn't a bug introduced by this patch, but does the handling of NETDEV_DOWN in bcm_notify() have a data race on bo->ifindex and bo->bound? While the target patch adds WRITE_ONCE() for bo->bound during device removal, NETDEV_DOWN appears to read these fields locklessly: net/can/bcm.c:bcm_notify() { ... case NETDEV_DOWN: if (bo->bound && bo->ifindex =3D=3D dev->ifindex) { } If a socket is connecting to a new device while an unrelated device goes down, could the lack of barriers allow bcm_notify() to observe a new bo->bound=3D1 but the old bo->ifindex, leading to a spurious ENETDOWN error? --=20 Sashiko AI review =C2=B7 https://sashiko.dev/#/patchset/20260709-bcm_fixes-= v9-0-6eebb78ccfb2@hartkopp.net?part=3D2