!9179 CVE-2021-47232 (44bbb358) · Commits · EulixOS / Software / Kernel

net/can/j1939/transport.c

+63 −14

Original line number	Diff line number	Diff line
		@@ -330,6 +330,9 @@ static void j1939_session_skb_drop_old(struct j1939_session *session)

		if ((do_skcb->offset + do_skb->len) < offset_start) {
		__skb_unlink(do_skb, &session->skb_queue);
		/* drop ref taken in j1939_session_skb_queue() */
		skb_unref(do_skb);

		kfree_skb(do_skb);
		}
		spin_unlock_irqrestore(&session->skb_queue.lock, flags);
		@@ -349,20 +352,20 @@ void j1939_session_skb_queue(struct j1939_session *session,

		skcb->flags \|= J1939_ECU_LOCAL_SRC;

		skb_get(skb);
		skb_queue_tail(&session->skb_queue, skb);
		}

		static struct sk_buff j1939_session_skb_find(struct j1939_session session)
		static struct
		sk_buff j1939_session_skb_get_by_offset(struct j1939_session session,
		unsigned int offset_start)
		{
		struct j1939_priv *priv = session->priv;
		struct j1939_sk_buff_cb *do_skcb;
		struct sk_buff *skb = NULL;
		struct sk_buff *do_skb;
		struct j1939_sk_buff_cb *do_skcb;
		unsigned int offset_start;
		unsigned long flags;

		offset_start = session->pkt.dpo * 7;

		spin_lock_irqsave(&session->skb_queue.lock, flags);
		skb_queue_walk(&session->skb_queue, do_skb) {
		do_skcb = j1939_skb_to_cb(do_skb);
		@@ -372,6 +375,10 @@ static struct sk_buff j1939_session_skb_find(struct j1939_session session)
		skb = do_skb;
		}
		}

		if (skb)
		skb_get(skb);

		spin_unlock_irqrestore(&session->skb_queue.lock, flags);

		if (!skb)
		@@ -382,6 +389,14 @@ static struct sk_buff j1939_session_skb_find(struct j1939_session session)
		return skb;
		}

		static struct sk_buff j1939_session_skb_get(struct j1939_session session)
		{
		unsigned int offset_start;

		offset_start = session->pkt.dpo * 7;
		return j1939_session_skb_get_by_offset(session, offset_start);
		}

		/* see if we are receiver
		* returns 0 for broadcasts, although we will receive them
		*/
		@@ -766,7 +781,7 @@ static int j1939_session_tx_dat(struct j1939_session *session)
		int ret = 0;
		u8 dat[8];

		se_skb = j1939_session_skb_find(session);
		se_skb = j1939_session_skb_get_by_offset(session, session->pkt.tx * 7);
		if (!se_skb)
		return -ENOBUFS;

		@@ -787,6 +802,19 @@ static int j1939_session_tx_dat(struct j1939_session *session)
		if (len > 7)
		len = 7;

		if (offset + len > se_skb->len) {
		netdev_err_once(priv->ndev,
		"%s: 0x%p: requested data outside of queued buffer: offset %i, len %i, pkt.tx: %i\n",
		__func__, session, skcb->offset, se_skb->len , session->pkt.tx);
		ret = -EOVERFLOW;
		goto out_free;
		}

		if (!len) {
		ret = -ENOBUFS;
		break;
		}

		memcpy(&dat[1], &tpdat[offset], len);
		ret = j1939_tp_tx_dat(session, dat, len + 1);
		if (ret < 0) {
		@@ -813,6 +841,12 @@ static int j1939_session_tx_dat(struct j1939_session *session)
		if (pkt_done)
		j1939_tp_set_rxtimeout(session, 250);

		out_free:
		if (ret)
		kfree_skb(se_skb);
		else
		consume_skb(se_skb);

		return ret;
		}

		@@ -985,7 +1019,7 @@ static int j1939_xtp_txnext_receiver(struct j1939_session *session)
		static int j1939_simple_txnext(struct j1939_session *session)
		{
		struct j1939_priv *priv = session->priv;
		struct sk_buff *se_skb = j1939_session_skb_find(session);
		struct sk_buff *se_skb = j1939_session_skb_get(session);
		struct sk_buff *skb;
		int ret;

		@@ -993,8 +1027,10 @@ static int j1939_simple_txnext(struct j1939_session *session)
		return 0;

		skb = skb_clone(se_skb, GFP_ATOMIC);
		if (!skb)
		return -ENOMEM;
		if (!skb) {
		ret = -ENOMEM;
		goto out_free;
		}

		can_skb_set_owner(skb, se_skb->sk);

		@@ -1002,12 +1038,18 @@ static int j1939_simple_txnext(struct j1939_session *session)

		ret = j1939_send_one(priv, skb);
		if (ret)
		return ret;
		goto out_free;

		j1939_sk_errqueue(session, J1939_ERRQUEUE_SCHED);
		j1939_sk_queue_activate_next(session);

		return 0;
		out_free:
		if (ret)
		kfree_skb(se_skb);
		else
		consume_skb(se_skb);

		return ret;
		}

		static bool j1939_session_deactivate_locked(struct j1939_session *session)
		@@ -1120,6 +1162,9 @@ static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer)
		* cleanup including propagation of the error to user space.
		*/
		break;
		case -EOVERFLOW:
		j1939_session_cancel(session, J1939_XTP_ABORT_ECTS_TOO_BIG);
		break;
		case 0:
		session->tx_retry = 0;
		break;
		@@ -1145,9 +1190,10 @@ static void j1939_session_completed(struct j1939_session *session)
		struct sk_buff *skb;

		if (!session->transmission) {
		skb = j1939_session_skb_find(session);
		skb = j1939_session_skb_get(session);
		/* distribute among j1939 receivers */
		j1939_sk_recv(session->priv, skb);
		consume_skb(skb);
		}

		j1939_session_deactivate_activate_next(session);
		@@ -1710,7 +1756,7 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
		{
		struct j1939_priv *priv = session->priv;
		struct j1939_sk_buff_cb *skcb;
		struct sk_buff *se_skb;
		struct sk_buff *se_skb = NULL;
		const u8 *dat;
		u8 *tpdat;
		int offset;
		@@ -1750,7 +1796,8 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
		__func__, session);
		goto out_session_cancel;
		}
		se_skb = j1939_session_skb_find(session);

		se_skb = j1939_session_skb_get_by_offset(session, packet * 7);
		if (!se_skb) {
		netdev_warn(priv->ndev, "%s: 0x%p: no skb found\n", __func__,
		session);
		@@ -1793,11 +1840,13 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
		j1939_tp_set_rxtimeout(session, 250);
		}
		session->last_cmd = 0xff;
		consume_skb(se_skb);
		j1939_session_put(session);

		return;

		out_session_cancel:
		kfree_skb(se_skb);
		j1939_session_timers_cancel(session);
		j1939_session_cancel(session, J1939_XTP_ABORT_FAULT);
		j1939_session_put(session);