From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Alexey Khoroshilov <khoroshilov@ispras.ru>,
Fedor Pchelkin <pchelkin@ispras.ru>,
Oleksij Rempel <o.rempel@pengutronix.de>,
Marc Kleine-Budde <mkl@pengutronix.de>
Subject: [PATCH 5.4 26/45] can: j1939: change j1939_netdev_lock type to mutex
Date: Mon, 12 Jun 2023 12:26:20 +0200 [thread overview]
Message-ID: <20230612101655.719559720@linuxfoundation.org> (raw)
In-Reply-To: <20230612101654.644983109@linuxfoundation.org>
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit cd9c790de2088b0d797dc4d244b4f174f9962554 upstream.
It turns out access to j1939_can_rx_register() needs to be serialized,
otherwise j1939_priv can be corrupted when parallel threads call
j1939_netdev_start() and j1939_can_rx_register() fails. This issue is
thoroughly covered in other commit which serializes access to
j1939_can_rx_register().
Change j1939_netdev_lock type to mutex so that we do not need to remove
GFP_KERNEL from can_rx_register().
j1939_netdev_lock seems to be used in normal contexts where mutex usage
is not prohibited.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Suggested-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/r/20230526171910.227615-2-pchelkin@ispras.ru
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/main.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
--- a/net/can/j1939/main.c
+++ b/net/can/j1939/main.c
@@ -122,7 +122,7 @@ static void j1939_can_recv(struct sk_buf
#define J1939_CAN_ID CAN_EFF_FLAG
#define J1939_CAN_MASK (CAN_EFF_FLAG | CAN_RTR_FLAG)
-static DEFINE_SPINLOCK(j1939_netdev_lock);
+static DEFINE_MUTEX(j1939_netdev_lock);
static struct j1939_priv *j1939_priv_create(struct net_device *ndev)
{
@@ -216,7 +216,7 @@ static void __j1939_rx_release(struct kr
j1939_can_rx_unregister(priv);
j1939_ecu_unmap_all(priv);
j1939_priv_set(priv->ndev, NULL);
- spin_unlock(&j1939_netdev_lock);
+ mutex_unlock(&j1939_netdev_lock);
}
/* get pointer to priv without increasing ref counter */
@@ -244,9 +244,9 @@ static struct j1939_priv *j1939_priv_get
{
struct j1939_priv *priv;
- spin_lock(&j1939_netdev_lock);
+ mutex_lock(&j1939_netdev_lock);
priv = j1939_priv_get_by_ndev_locked(ndev);
- spin_unlock(&j1939_netdev_lock);
+ mutex_unlock(&j1939_netdev_lock);
return priv;
}
@@ -256,14 +256,14 @@ struct j1939_priv *j1939_netdev_start(st
struct j1939_priv *priv, *priv_new;
int ret;
- spin_lock(&j1939_netdev_lock);
+ mutex_lock(&j1939_netdev_lock);
priv = j1939_priv_get_by_ndev_locked(ndev);
if (priv) {
kref_get(&priv->rx_kref);
- spin_unlock(&j1939_netdev_lock);
+ mutex_unlock(&j1939_netdev_lock);
return priv;
}
- spin_unlock(&j1939_netdev_lock);
+ mutex_unlock(&j1939_netdev_lock);
priv = j1939_priv_create(ndev);
if (!priv)
@@ -273,20 +273,20 @@ struct j1939_priv *j1939_netdev_start(st
spin_lock_init(&priv->j1939_socks_lock);
INIT_LIST_HEAD(&priv->j1939_socks);
- spin_lock(&j1939_netdev_lock);
+ mutex_lock(&j1939_netdev_lock);
priv_new = j1939_priv_get_by_ndev_locked(ndev);
if (priv_new) {
/* Someone was faster than us, use their priv and roll
* back our's.
*/
kref_get(&priv_new->rx_kref);
- spin_unlock(&j1939_netdev_lock);
+ mutex_unlock(&j1939_netdev_lock);
dev_put(ndev);
kfree(priv);
return priv_new;
}
j1939_priv_set(ndev, priv);
- spin_unlock(&j1939_netdev_lock);
+ mutex_unlock(&j1939_netdev_lock);
ret = j1939_can_rx_register(priv);
if (ret < 0)
@@ -304,7 +304,7 @@ struct j1939_priv *j1939_netdev_start(st
void j1939_netdev_stop(struct j1939_priv *priv)
{
- kref_put_lock(&priv->rx_kref, __j1939_rx_release, &j1939_netdev_lock);
+ kref_put_mutex(&priv->rx_kref, __j1939_rx_release, &j1939_netdev_lock);
j1939_priv_put(priv);
}
next prev parent reply other threads:[~2023-06-12 10:47 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-12 10:25 [PATCH 5.4 00/45] 5.4.247-rc1 review Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.4 01/45] blk-iocost: avoid 64-bit division in ioc_timer_fn Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.4 02/45] block/blk-iocost (gcc13): keep large values in a new enum Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.4 03/45] i40iw: fix build warning in i40iw_manage_apbvt() Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.4 04/45] i40e: fix build warnings in i40e_alloc.h Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.4 05/45] spi: qup: Request DMA before enabling clocks Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 06/45] neighbour: Replace zero-length array with flexible-array member Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 07/45] neighbour: fix unaligned access to pneigh_entry Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 08/45] net: dsa: lan9303: allow vid != 0 in port_fdb_{add|del} methods Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 09/45] Bluetooth: Fix l2cap_disconnect_req deadlock Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 10/45] Bluetooth: L2CAP: Add missing checks for invalid DCID Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 11/45] netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 12/45] netfilter: ipset: Add schedule point in call_ad() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 13/45] rfs: annotate lockless accesses to sk->sk_rxhash Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 14/45] rfs: annotate lockless accesses to RFS sock flow table Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 15/45] net: sched: move rtm_tca_policy declaration to include file Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 16/45] net: sched: fix possible refcount leak in tc_chain_tmplt_add() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 17/45] lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 18/45] bnxt_en: Query default VLAN before VNIC setup on a VF Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 19/45] batman-adv: Broken sync while rescheduling delayed work Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 20/45] Input: xpad - delete a Razer DeathAdder mouse VID/PID entry Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 21/45] Input: psmouse - fix OOB access in Elantech protocol Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 22/45] ALSA: hda/realtek: Add a quirk for HP Slim Desktop S01 Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 23/45] ALSA: hda/realtek: Add Lenovo P3 Tower platform Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 24/45] drm/amdgpu: fix xclk freq on CHIP_STONEY Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 25/45] can: j1939: j1939_sk_send_loop_abort(): improved error queue handling in J1939 Socket Greg Kroah-Hartman
2023-06-12 10:26 ` Greg Kroah-Hartman [this message]
2023-06-12 10:26 ` [PATCH 5.4 27/45] can: j1939: avoid possible use-after-free when j1939_can_rx_register fails Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 28/45] ceph: fix use-after-free bug for inodes when flushing capsnaps Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 29/45] Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 30/45] rbd: move RBD_OBJ_FLAG_COPYUP_ENABLED flag setting Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 31/45] pinctrl: meson-axg: add missing GPIOA_18 gpio group Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 32/45] usb: usbfs: Enforce page requirements for mmap Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 33/45] usb: usbfs: Use consistent mmap functions Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 34/45] bonding (gcc13): synchronize bond_{a,t}lb_xmit() types Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 35/45] i2c: sprd: Delete i2c adapter in .removes error path Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 36/45] eeprom: at24: also select REGMAP Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 37/45] ext4: only check dquot_initialize_needed() when debugging Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 38/45] cifs: get rid of unused parameter in reconn_setup_dfs_targets() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 39/45] cifs: handle empty list of targets in cifs_reconnect() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 40/45] drm/atomic: Dont pollute crtc_state->mode_blob with error pointers Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 41/45] rbd: get snapshot context after exclusive lock is ensured to be held Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 42/45] btrfs: check return value of btrfs_commit_transaction in relocation Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 43/45] btrfs: unset reloc control if transaction commit fails in prepare_to_relocate() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 44/45] mtd: spinand: macronix: Add support for MX35LFxGE4AD Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 45/45] Revert "staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE" Greg Kroah-Hartman
2023-06-12 21:54 ` [PATCH 5.4 00/45] 5.4.247-rc1 review Chris Paterson
2023-06-12 22:20 ` Shuah Khan
2023-06-13 8:38 ` Jon Hunter
2023-06-13 9:06 ` Naresh Kamboju
2023-06-13 12:16 ` Harshit Mogalapalli
2023-06-13 12:18 ` Sudip Mukherjee (Codethink)
2023-06-13 23:09 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230612101655.719559720@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=khoroshilov@ispras.ru \
--cc=mkl@pengutronix.de \
--cc=o.rempel@pengutronix.de \
--cc=patches@lists.linux.dev \
--cc=pchelkin@ispras.ru \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).