Merge tag 'linux-can-fixes-for-6.3-20230327' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

kuba-moo · kuba-moo · commit ebd3b826343b · 2023-03-27T19:47:43.000-07:00
Marc Kleine-Budde says: ==================== pull-request: can 2023-03-27 Oleksij Rempel and Hillf Danton contribute a patch for the CAN J1939 protocol that prevents a potential deadlock in j1939_sk_errqueue(). Ivan Orlov fixes an uninit-value in the CAN BCM protocol in the bcm_tx_setup() function. * tag 'linux-can-fixes-for-6.3-20230327' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can: can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write can: j1939: prevent deadlock by moving j1939_sk_errqueue() ==================== Link: https://lore.kernel.org/r/20230327124807.1157134-1-mkl@pengutronix.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/can/bcm.c b/net/can/bcm.c
@@ -941,6 +941,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
 
 			cf = op->frames + op->cfsiz * i;
 			err = memcpy_from_msg((u8 *)cf, msg, op->cfsiz);
+			if (err < 0)
+				goto free_op;
 
 			if (op->flags & CAN_FD_FRAME) {
 				if (cf->len > 64)
@@ -950,12 +952,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
 					err = -EINVAL;
 			}
 
-			if (err < 0) {
-				if (op->frames != &op->sframe)
-					kfree(op->frames);
-				kfree(op);
-				return err;
-			}
+			if (err < 0)
+				goto free_op;
 
 			if (msg_head->flags & TX_CP_CAN_ID) {
 				/* copy can_id into frame */
@@ -1026,6 +1024,12 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
 		bcm_tx_start_timer(op);
 
 	return msg_head->nframes * op->cfsiz + MHSIZ;
+
+free_op:
+	if (op->frames != &op->sframe)
+		kfree(op->frames);
+	kfree(op);
+	return err;
 }
 
 /*
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
@@ -1124,8 +1124,6 @@ static void __j1939_session_cancel(struct j1939_session *session,
 
 	if (session->sk)
 		j1939_sk_send_loop_abort(session->sk, session->err);
-	else
-		j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);
 }
 
 static void j1939_session_cancel(struct j1939_session *session,
@@ -1140,6 +1138,9 @@ static void j1939_session_cancel(struct j1939_session *session,
 	}
 
 	j1939_session_list_unlock(session->priv);
+
+	if (!session->sk)
+		j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);
 }
 
 static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer)
@@ -1253,6 +1254,9 @@ static enum hrtimer_restart j1939_tp_rxtimer(struct hrtimer *hrtimer)
 			__j1939_session_cancel(session, J1939_XTP_ABORT_TIMEOUT);
 		}
 		j1939_session_list_unlock(session->priv);
+
+		if (!session->sk)
+			j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);
 	}
 
 	j1939_session_put(session);

Original file line number	Diff line number	Diff line change
`@@ -1124,8 +1124,6 @@ static void __j1939_session_cancel(struct j1939_session *session,`
`1124`	`1124`
`1125`	`1125`	`if (session->sk)`
`1126`	`1126`	`j1939_sk_send_loop_abort(session->sk, session->err);`
`1127`		`- else`
`1128`		`- j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);`
`1129`	`1127`	`}`
`1130`	`1128`
`1131`	`1129`	`static void j1939_session_cancel(struct j1939_session *session,`
`@@ -1140,6 +1138,9 @@ static void j1939_session_cancel(struct j1939_session *session,`
`1140`	`1138`	`}`
`1141`	`1139`
`1142`	`1140`	`j1939_session_list_unlock(session->priv);`
	`1141`	`+`
	`1142`	`+ if (!session->sk)`
	`1143`	`+ j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);`
`1143`	`1144`	`}`
`1144`	`1145`
`1145`	`1146`	`static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer)`
`@@ -1253,6 +1254,9 @@ static enum hrtimer_restart j1939_tp_rxtimer(struct hrtimer *hrtimer)`
`1253`	`1254`	`__j1939_session_cancel(session, J1939_XTP_ABORT_TIMEOUT);`
`1254`	`1255`	`}`
`1255`	`1256`	`j1939_session_list_unlock(session->priv);`
	`1257`	`+`
	`1258`	`+ if (!session->sk)`
	`1259`	`+ j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);`
`1256`	`1260`	`}`
`1257`	`1261`
`1258`	`1262`	`j1939_session_put(session);`