From: Marc Kleine-Budde <mkl@pengutronix.de>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, kuba@kernel.org, linux-can@vger.kernel.org,
kernel@pengutronix.de, Oleksij Rempel <o.rempel@pengutronix.de>,
Oliver Hartkopp <socketcan@hartkopp.net>,
Marc Kleine-Budde <mkl@pengutronix.de>
Subject: [net 07/27] can: can_create_echo_skb(): fix echo skb generation: always use skb_clone()
Date: Tue, 3 Nov 2020 23:06:16 +0100 [thread overview]
Message-ID: <20201103220636.972106-8-mkl@pengutronix.de> (raw)
In-Reply-To: <20201103220636.972106-1-mkl@pengutronix.de>
From: Oleksij Rempel <o.rempel@pengutronix.de>
All user space generated SKBs are owned by a socket (unless injected into the
key via AF_PACKET). If a socket is closed, all associated skbs will be cleaned
up.
This leads to a problem when a CAN driver calls can_put_echo_skb() on a
unshared SKB. If the socket is closed prior to the TX complete handler,
can_get_echo_skb() and the subsequent delivering of the echo SKB to all
registered callbacks, a SKB with a refcount of 0 is delivered.
To avoid the problem, in can_get_echo_skb() the original SKB is now always
cloned, regardless of shared SKB or not. If the process exists it can now
safely discard its SKBs, without disturbing the delivery of the echo SKB.
The problem shows up in the j1939 stack, when it clones the incoming skb, which
detects the already 0 refcount.
We can easily reproduce this with following example:
testj1939 -B -r can0: &
cansend can0 1823ff40#0123
WARNING: CPU: 0 PID: 293 at lib/refcount.c:25 refcount_warn_saturate+0x108/0x174
refcount_t: addition on 0; use-after-free.
Modules linked in: coda_vpu imx_vdoa videobuf2_vmalloc dw_hdmi_ahb_audio vcan
CPU: 0 PID: 293 Comm: cansend Not tainted 5.5.0-rc6-00376-g9e20dcb7040d #1
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Backtrace:
[<c010f570>] (dump_backtrace) from [<c010f90c>] (show_stack+0x20/0x24)
[<c010f8ec>] (show_stack) from [<c0c3e1a4>] (dump_stack+0x8c/0xa0)
[<c0c3e118>] (dump_stack) from [<c0127fec>] (__warn+0xe0/0x108)
[<c0127f0c>] (__warn) from [<c01283c8>] (warn_slowpath_fmt+0xa8/0xcc)
[<c0128324>] (warn_slowpath_fmt) from [<c0539c0c>] (refcount_warn_saturate+0x108/0x174)
[<c0539b04>] (refcount_warn_saturate) from [<c0ad2cac>] (j1939_can_recv+0x20c/0x210)
[<c0ad2aa0>] (j1939_can_recv) from [<c0ac9dc8>] (can_rcv_filter+0xb4/0x268)
[<c0ac9d14>] (can_rcv_filter) from [<c0aca2cc>] (can_receive+0xb0/0xe4)
[<c0aca21c>] (can_receive) from [<c0aca348>] (can_rcv+0x48/0x98)
[<c0aca300>] (can_rcv) from [<c09b1fdc>] (__netif_receive_skb_one_core+0x64/0x88)
[<c09b1f78>] (__netif_receive_skb_one_core) from [<c09b2070>] (__netif_receive_skb+0x38/0x94)
[<c09b2038>] (__netif_receive_skb) from [<c09b2130>] (netif_receive_skb_internal+0x64/0xf8)
[<c09b20cc>] (netif_receive_skb_internal) from [<c09b21f8>] (netif_receive_skb+0x34/0x19c)
[<c09b21c4>] (netif_receive_skb) from [<c0791278>] (can_rx_offload_napi_poll+0x58/0xb4)
Fixes: 0ae89beb283a ("can: add destructor for self generated skbs")
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: http://lore.kernel.org/r/20200124132656.22156-1-o.rempel@pengutronix.de
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
include/linux/can/skb.h | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
diff --git a/include/linux/can/skb.h b/include/linux/can/skb.h
index 900b9f4e0605..fc61cf4eff1c 100644
--- a/include/linux/can/skb.h
+++ b/include/linux/can/skb.h
@@ -61,21 +61,17 @@ static inline void can_skb_set_owner(struct sk_buff *skb, struct sock *sk)
*/
static inline struct sk_buff *can_create_echo_skb(struct sk_buff *skb)
{
- if (skb_shared(skb)) {
- struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
+ struct sk_buff *nskb;
- if (likely(nskb)) {
- can_skb_set_owner(nskb, skb->sk);
- consume_skb(skb);
- return nskb;
- } else {
- kfree_skb(skb);
- return NULL;
- }
+ nskb = skb_clone(skb, GFP_ATOMIC);
+ if (unlikely(!nskb)) {
+ kfree_skb(skb);
+ return NULL;
}
- /* we can assume to have an unshared skb with proper owner */
- return skb;
+ can_skb_set_owner(nskb, skb->sk);
+ consume_skb(skb);
+ return nskb;
}
#endif /* !_CAN_SKB_H */
--
2.28.0
next prev parent reply other threads:[~2020-11-03 22:07 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-03 22:06 pull-request: can 2020-11-03 Marc Kleine-Budde
2020-11-03 22:06 ` [net 01/27] dt-bindings: can: add can-controller.yaml Marc Kleine-Budde
2020-11-03 22:06 ` [net 02/27] dt-bindings: can: flexcan: convert fsl,*flexcan bindings to yaml Marc Kleine-Budde
2020-11-03 22:06 ` [net 03/27] can: proc: can_remove_proc(): silence remove_proc_entry warning Marc Kleine-Budde
2020-11-03 22:06 ` [net 04/27] can: rx-offload: don't call kfree_skb() from IRQ context Marc Kleine-Budde
2020-11-03 22:06 ` [net 05/27] can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard " Marc Kleine-Budde
2020-11-04 1:21 ` Jakub Kicinski
2020-11-04 4:29 ` Vincent MAILHOL
2020-11-04 8:16 ` Eric Dumazet
2020-11-04 14:59 ` Oliver Hartkopp
2020-11-04 16:02 ` Jakub Kicinski
2020-11-04 17:46 ` Oliver Hartkopp
2020-11-05 4:47 ` Vincent MAILHOL
2020-11-05 7:44 ` Marc Kleine-Budde
2020-11-03 22:06 ` [net 06/27] can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames Marc Kleine-Budde
2020-11-03 22:06 ` Marc Kleine-Budde [this message]
2020-11-03 22:06 ` [net 08/27] can: j1939: rename jacd tool Marc Kleine-Budde
2020-11-03 22:06 ` [net 09/27] can: j1939: fix syntax and spelling Marc Kleine-Budde
2020-11-03 22:06 ` [net 10/27] can: j1939: swap addr and pgn in the send example Marc Kleine-Budde
2020-11-03 22:06 ` [net 11/27] can: j1939: use backquotes for code samples Marc Kleine-Budde
2020-11-03 22:06 ` [net 12/27] can: j1939: j1939_sk_bind(): return failure if netdev is down Marc Kleine-Budde
2020-11-03 22:06 ` [net 13/27] can: isotp: Explain PDU in CAN_ISOTP help text Marc Kleine-Budde
2020-11-03 22:06 ` [net 14/27] can: isotp: isotp_rcv_cf(): enable RX timeout handling in listen-only mode Marc Kleine-Budde
2020-11-03 22:06 ` [net 15/27] can: isotp: padlen(): make const array static, makes object smaller Marc Kleine-Budde
2020-11-03 22:06 ` [net 16/27] can: ti_hecc: ti_hecc_probe(): add missed clk_disable_unprepare() in error path Marc Kleine-Budde
2020-11-03 22:06 ` [net 17/27] can: xilinx_can: handle failure cases of pm_runtime_get_sync Marc Kleine-Budde
2020-11-03 22:06 ` [net 18/27] can: peak_usb: add range checking in decode operations Marc Kleine-Budde
2020-11-03 22:06 ` [net 19/27] can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping Marc Kleine-Budde
2020-11-03 22:06 ` [net 20/27] can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on Marc Kleine-Budde
2020-11-03 22:06 ` [net 21/27] can: mcp251xfd: mcp251xfd_regmap_crc_read(): increase severity of CRC read error messages Marc Kleine-Budde
2020-11-05 16:24 ` Manivannan Sadhasivam
2020-11-05 16:39 ` Marc Kleine-Budde
2020-11-05 18:14 ` Manivannan Sadhasivam
2020-11-06 8:35 ` Marc Kleine-Budde
2020-11-03 22:06 ` [net 22/27] can: mcp251xfd: mcp251xfd_regmap_nocrc_read(): fix semicolon.cocci warnings Marc Kleine-Budde
2020-11-03 22:06 ` [net 23/27] can: mcp251xfd: remove unneeded break Marc Kleine-Budde
2020-11-03 22:06 ` [net 24/27] can: flexcan: remove FLEXCAN_QUIRK_DISABLE_MECR quirk for LS1021A Marc Kleine-Budde
2020-11-03 22:06 ` [net 25/27] can: flexcan: add ECC initialization for LX2160A Marc Kleine-Budde
2020-11-03 22:06 ` [net 26/27] can: flexcan: add ECC initialization for VF610 Marc Kleine-Budde
2020-11-03 22:06 ` [net 27/27] can: flexcan: flexcan_remove(): disable wakeup completely Marc Kleine-Budde
2020-11-04 18:43 ` pull-request: can 2020-11-03 Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201103220636.972106-8-mkl@pengutronix.de \
--to=mkl@pengutronix.de \
--cc=davem@davemloft.net \
--cc=kernel@pengutronix.de \
--cc=kuba@kernel.org \
--cc=linux-can@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=o.rempel@pengutronix.de \
--cc=socketcan@hartkopp.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).