[PATCH 4.9 11/78] can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Vincent Mailhol <mailhol.vincent@wanadoo.fr>,
	Marc Kleine-Budde <mkl@pengutronix.de>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 11/78] can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context
Date: Tue, 17 Nov 2020 14:04:37 +0100	[thread overview]
Message-ID: <20201117122109.652553599@linuxfoundation.org> (raw)
In-Reply-To: <20201117122109.116890262@linuxfoundation.org>

From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>

[ Upstream commit 2283f79b22684d2812e5c76fc2280aae00390365 ]

If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but
not always, the case), the 'WARN_ON(in_irq)' in
net/core/skbuff.c#skb_release_head_state() might be triggered, under network
congestion circumstances, together with the potential risk of a NULL pointer
dereference.

The root cause of this issue is the call to kfree_skb() instead of
dev_kfree_skb_irq() in net/core/dev.c#enqueue_to_backlog().

This patch prevents the skb to be freed within the call to netif_rx() by
incrementing its reference count with skb_get(). The skb is finally freed by
one of the in-irq-context safe functions: dev_consume_skb_any() or
dev_kfree_skb_any(). The "any" version is used because some drivers might call
can_get_echo_skb() in a normal context.

The reason for this issue to occur is that initially, in the core network
stack, loopback skb were not supposed to be received in hardware IRQ context.
The CAN stack is an exeption.

This bug was previously reported back in 2017 in [1] but the proposed patch
never got accepted.

While [1] directly modifies net/core/dev.c, we try to propose here a
smoother modification local to CAN network stack (the assumption
behind is that only CAN devices are affected by this issue).

[1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com

Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Link: https://lore.kernel.org/r/20201002154219.4887-2-mailhol.vincent@wanadoo.fr
Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/can/dev.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
index ffc5467a1ec2b..aa2158fabf2ac 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -496,7 +496,11 @@ unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx)
 	if (!skb)
 		return 0;

-	netif_rx(skb);
+	skb_get(skb);
+	if (netif_rx(skb) == NET_RX_SUCCESS)
+		dev_consume_skb_any(skb);
+	else
+		dev_kfree_skb_any(skb);

 	return len;
 }
-- 
2.27.0

next prev parent reply	other threads:[~2020-11-17 14:05 UTC|newest]

Thread overview: 83+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-17 13:04 [PATCH 4.9 00/78] 4.9.244-rc1 review Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 01/78] regulator: defer probe when trying to get voltage from unresolved supply Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 02/78] ring-buffer: Fix recursion protection transitions between interrupt context Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 03/78] gfs2: Wake up when sd_glock_disposal becomes zero Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 04/78] mm: mempolicy: fix potential pte_unmap_unlock pte error Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 05/78] time: Prevent undefined behaviour in timespec64_to_ns() Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 06/78] btrfs: reschedule when cloning lots of extents Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 07/78] genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 08/78] net: xfrm: fix a race condition during allocing spi Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 09/78] perf tools: Add missing swap for ino_generation Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 10/78] ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() Greg Kroah-Hartman
2020-11-17 13:04 ` Greg Kroah-Hartman [this message]
2020-11-17 13:04 ` [PATCH 4.9 12/78] can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 13/78] can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 14/78] can: peak_usb: add range checking in decode operations Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 15/78] can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 16/78] xfs: flush new eof page on truncate to avoid post-eof corruption Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 17/78] Btrfs: fix missing error return if writeback for extent buffer never started Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 18/78] pinctrl: devicetree: Avoid taking direct reference to device name string Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 19/78] i40e: Fix a potential NULL pointer dereference Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 20/78] i40e: add num_vectors checker in iwarp handler Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 21/78] i40e: Wrong truncation from u16 to u8 Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 22/78] i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 23/78] i40e: Memory leak in i40e_config_iwarp_qvlist Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 24/78] geneve: add transport ports in route lookup for geneve Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 25/78] ath9k_htc: Use appropriate rs_datalen type Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 26/78] usb: gadget: goku_udc: fix potential crashes in probe Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 27/78] gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 28/78] gfs2: check for live vs. read-only file system in gfs2_fitrim Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 29/78] scsi: hpsa: Fix memory leak in hpsa_init_one() Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 30/78] drm/amdgpu: perform srbm soft reset always on SDMA resume Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 31/78] mac80211: fix use of skb payload instead of header Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 32/78] mac80211: always wind down STA state Greg Kroah-Hartman
2020-11-17 13:04 ` [PATCH 4.9 33/78] cfg80211: regulatory: Fix inconsistent format argument Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 34/78] scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 35/78] iommu/amd: Increase interrupt remapping table limit to 512 entries Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 36/78] pinctrl: aspeed: Fix GPI only function problem Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 37/78] xfs: fix flags argument to rmap lookup when converting shared file rmaps Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 38/78] xfs: fix rmap key and record comparison functions Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 39/78] xfs: fix a missing unlock on error in xfs_fs_map_blocks Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 40/78] of/address: Fix of_node memory leak in of_dma_is_coherent Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 41/78] cosa: Add missing kfree in error path of cosa_write Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 42/78] perf: Fix get_recursion_context() Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 43/78] ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 44/78] ext4: unlock xattr_sem properly in ext4_inline_data_truncate() Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 45/78] usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 46/78] mei: protect mei_cl_mtu from null dereference Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 47/78] ocfs2: initialize ip_next_orphan Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 48/78] dont dump the threads that had been already exiting when zapped Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 49/78] drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[] Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 50/78] pinctrl: amd: use higher precision for 512 RtcClk Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 51/78] pinctrl: amd: fix incorrect way to disable debounce filter Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 52/78] swiotlb: fix "x86: Dont panic if can not alloc buffer for swiotlb" Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 53/78] IPv6: Set SIT tunnel hard_header_len to zero Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 54/78] net/af_iucv: fix null pointer dereference on shutdown Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 55/78] net/x25: Fix null-ptr-deref in x25_connect Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 56/78] net: Update window_clamp if SOCK_RCVBUF is set Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 57/78] random32: make prandom_u32() output unpredictable Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 58/78] x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 59/78] perf/core: Fix bad use of igrab() Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 60/78] perf/core: Fix crash when using HW tracing kernel filters Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 61/78] perf/core: Fix a memory leak in perf_event_parse_addr_filter() Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 62/78] xen/events: avoid removing an event channel while handling it Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 63/78] xen/events: add a proper barrier to 2-level uevent unmasking Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 64/78] xen/events: fix race in evtchn_fifo_unmask() Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 65/78] xen/events: add a new "late EOI" evtchn framework Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 66/78] xen/blkback: use lateeoi irq binding Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 67/78] xen/netback: " Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 68/78] xen/scsiback: " Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 69/78] xen/pciback: " Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 70/78] xen/events: switch user event channels to lateeoi model Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 71/78] xen/events: use a common cpu hotplug hook for event channels Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 72/78] xen/events: defer eoi in case of excessive number of events Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 73/78] xen/events: block rogue events for some time Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 74/78] perf/core: Fix race in the perf_mmap_close() function Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 75/78] Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint" Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 76/78] reboot: fix overflow parsing reboot cpu number Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 77/78] ext4: fix leaking sysfs kobject after failed mount Greg Kroah-Hartman
2020-11-17 13:05 ` [PATCH 4.9 78/78] Convert trailing spaces and periods in path components Greg Kroah-Hartman
2020-11-17 19:09 ` [PATCH 4.9 00/78] 4.9.244-rc1 review Jon Hunter
2020-11-17 22:06 ` Shuah Khan
2020-11-18 11:14 ` Naresh Kamboju
2020-11-18 15:22 ` Guenter Roeck

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ffc5467a1ec2 dfblob:aa2158fabf2a )
 OR (
bs:"[PATCH 4.9 11/78] can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201117122109.652553599@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mailhol.vincent@wanadoo.fr \
    --cc=mkl@pengutronix.de \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).