[PATCH] can: j1939: call j1939_priv_put() immediately when j1939_local_ecu

Linux CAN drivers development
 help / color / mirror / Atom feed

* [PATCH] can: j1939: call j1939_priv_put() immediately when j1939_local_ecu_get() failed
@ 2025-08-24 10:30 Tetsuo Handa
  2025-08-25  9:16 ` Oleksij Rempel
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Tetsuo Handa @ 2025-08-24 10:30 UTC (permalink / raw)
  To: Robin van der Gracht, Oleksij Rempel, kernel, Oliver Hartkopp,
	Marc Kleine-Budde, linux-can, LKML

Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct
callback") expects that a call to j1939_priv_put() can be unconditionally
delayed until j1939_sk_sock_destruct() is called. But a refcount leak will
happen when j1939_sk_bind() is called again after j1939_local_ecu_get()
 from previous j1939_sk_bind() call returned an error. We need to call
j1939_priv_put() before j1939_sk_bind() returns an error.

Fixes: 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback")
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
The change made by commit 25fe97cb7620 might be relevant to my result

  As far as I tested, the only way that can drop the refcount to 1 is to
  call j1939_sk_release() (which involves sock_put()) on all j1939 sockets

in https://lkml.kernel.org/r/bb595640-0597-4d18-a9e1-f6eb8e6bb50e@I-love.SAKURA.ne.jp .

 net/can/j1939/socket.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
index 3d8b588822f9..493f49bfaf5d 100644
--- a/net/can/j1939/socket.c
+++ b/net/can/j1939/socket.c
@@ -521,6 +521,9 @@ static int j1939_sk_bind(struct socket *sock, struct sockaddr *uaddr, int len)
 	ret = j1939_local_ecu_get(priv, jsk->addr.src_name, jsk->addr.sa);
 	if (ret) {
 		j1939_netdev_stop(priv);
+		jsk->priv = NULL;
+		synchronize_rcu();
+		j1939_priv_put(priv);
 		goto out_release_sock;
 	}
 
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] can: j1939: call j1939_priv_put() immediately when j1939_local_ecu_get() failed
  2025-08-24 10:30 [PATCH] can: j1939: call j1939_priv_put() immediately when j1939_local_ecu_get() failed Tetsuo Handa
@ 2025-08-25  9:16 ` Oleksij Rempel
  2025-09-05  8:30 ` Oleksij Rempel
  2025-09-09 11:49 ` Marc Kleine-Budde
  2 siblings, 0 replies; 4+ messages in thread
From: Oleksij Rempel @ 2025-08-25  9:16 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: Robin van der Gracht, kernel, Oliver Hartkopp, Marc Kleine-Budde,
	linux-can, LKML

Hi Tetsuo,

On Sun, Aug 24, 2025 at 07:30:09PM +0900, Tetsuo Handa wrote:
> Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct
> callback") expects that a call to j1939_priv_put() can be unconditionally
> delayed until j1939_sk_sock_destruct() is called. But a refcount leak will
> happen when j1939_sk_bind() is called again after j1939_local_ecu_get()
>  from previous j1939_sk_bind() call returned an error. We need to call
> j1939_priv_put() before j1939_sk_bind() returns an error.
> 
> Fixes: 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback")
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
> The change made by commit 25fe97cb7620 might be relevant to my result
> 
>   As far as I tested, the only way that can drop the refcount to 1 is to
>   call j1939_sk_release() (which involves sock_put()) on all j1939 sockets
> 
> in https://lkml.kernel.org/r/bb595640-0597-4d18-a9e1-f6eb8e6bb50e@I-love.SAKURA.ne.jp .

Thank you for your work!
Right now I'm on open source summit and can't quickly respond/test your
patches. I'll try to do my best ASAP next week. 

Best Regards,
Oleksij
-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] can: j1939: call j1939_priv_put() immediately when j1939_local_ecu_get() failed
  2025-08-24 10:30 [PATCH] can: j1939: call j1939_priv_put() immediately when j1939_local_ecu_get() failed Tetsuo Handa
  2025-08-25  9:16 ` Oleksij Rempel
@ 2025-09-05  8:30 ` Oleksij Rempel
  2025-09-09 11:49 ` Marc Kleine-Budde
  2 siblings, 0 replies; 4+ messages in thread
From: Oleksij Rempel @ 2025-09-05  8:30 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: Robin van der Gracht, kernel, Oliver Hartkopp, Marc Kleine-Budde,
	linux-can, LKML

On Sun, Aug 24, 2025 at 07:30:09PM +0900, Tetsuo Handa wrote:
> Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct
> callback") expects that a call to j1939_priv_put() can be unconditionally
> delayed until j1939_sk_sock_destruct() is called. But a refcount leak will
> happen when j1939_sk_bind() is called again after j1939_local_ecu_get()
>  from previous j1939_sk_bind() call returned an error. We need to call
> j1939_priv_put() before j1939_sk_bind() returns an error.
> 
> Fixes: 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback")
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>                                                                                                             
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] can: j1939: call j1939_priv_put() immediately when j1939_local_ecu_get() failed
  2025-08-24 10:30 [PATCH] can: j1939: call j1939_priv_put() immediately when j1939_local_ecu_get() failed Tetsuo Handa
  2025-08-25  9:16 ` Oleksij Rempel
  2025-09-05  8:30 ` Oleksij Rempel
@ 2025-09-09 11:49 ` Marc Kleine-Budde
  2 siblings, 0 replies; 4+ messages in thread
From: Marc Kleine-Budde @ 2025-09-09 11:49 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: Robin van der Gracht, Oleksij Rempel, kernel, Oliver Hartkopp,
	linux-can, LKML

[-- Attachment #1: Type: text/plain, Size: 956 bytes --]

On 24.08.2025 19:30:09, Tetsuo Handa wrote:
> Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct
> callback") expects that a call to j1939_priv_put() can be unconditionally
> delayed until j1939_sk_sock_destruct() is called. But a refcount leak will
> happen when j1939_sk_bind() is called again after j1939_local_ecu_get()
>  from previous j1939_sk_bind() call returned an error. We need to call
> j1939_priv_put() before j1939_sk_bind() returns an error.
> 
> Fixes: 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback")
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

Applied to linux-can.

regards,
Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde          |
Embedded Linux                   | https://www.pengutronix.de |
Vertretung Nürnberg              | Phone: +49-5121-206917-129 |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-9   |

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-09-09 11:49 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-24 10:30 [PATCH] can: j1939: call j1939_priv_put() immediately when j1939_local_ecu_get() failed Tetsuo Handa
2025-08-25  9:16 ` Oleksij Rempel
2025-09-05  8:30 ` Oleksij Rempel
2025-09-09 11:49 ` Marc Kleine-Budde

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox