Commit ebd3b826 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'linux-can-fixes-for-6.3-20230327' of... 

Merge tag 'linux-can-fixes-for-6.3-20230327' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2023-03-27

Oleksij Rempel and Hillf Danton contribute a patch for the CAN J1939
protocol that prevents a potential deadlock in j1939_sk_errqueue().

Ivan Orlov fixes an uninit-value in the CAN BCM protocol in the
bcm_tx_setup() function.

* tag 'linux-can-fixes-for-6.3-20230327' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
  can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
  can: j1939: prevent deadlock by moving j1939_sk_errqueue()
====================

Link: https://lore.kernel.org/r/20230327124807.1157134-1-mkl@pengutronix.de


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 4f7702ab 2b4c99f7

net/can/bcm.c

+10 −6
Original line number Original line Diff line number Diff line
@@ -941,6 +941,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, 




			cf = op->frames + op->cfsiz * i;

			cf = op->frames + op->cfsiz * i;

			err = memcpy_from_msg((u8 *)cf, msg, op->cfsiz);

			err = memcpy_from_msg((u8 *)cf, msg, op->cfsiz);

			if (err < 0)

				goto free_op;





			if (op->flags & CAN_FD_FRAME) {

			if (op->flags & CAN_FD_FRAME) {

				if (cf->len > 64)

				if (cf->len > 64)
@@ -950,12 +952,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, 
					err = -EINVAL;

					err = -EINVAL;

			}

			}





			if (err < 0) {

			if (err < 0)

				if (op->frames != &op->sframe)

				goto free_op;

					kfree(op->frames);

				kfree(op);

				return err;

			}





			if (msg_head->flags & TX_CP_CAN_ID) {

			if (msg_head->flags & TX_CP_CAN_ID) {

				/* copy can_id into frame */

				/* copy can_id into frame */
@@ -1026,6 +1024,12 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, 
		bcm_tx_start_timer(op);

		bcm_tx_start_timer(op);





	return msg_head->nframes * op->cfsiz + MHSIZ;

	return msg_head->nframes * op->cfsiz + MHSIZ;



free_op:

	if (op->frames != &op->sframe)

		kfree(op->frames);

	kfree(op);

	return err;

}

}





/*

/*

net/can/j1939/transport.c

+6 −2
Original line number Original line Diff line number Diff line
@@ -1124,8 +1124,6 @@ static void __j1939_session_cancel(struct j1939_session *session, 




	if (session->sk)

	if (session->sk)

		j1939_sk_send_loop_abort(session->sk, session->err);

		j1939_sk_send_loop_abort(session->sk, session->err);

	else

		j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);

}

}





static void j1939_session_cancel(struct j1939_session *session,

static void j1939_session_cancel(struct j1939_session *session,
@@ -1140,6 +1138,9 @@ static void j1939_session_cancel(struct j1939_session *session, 
	}

	}





	j1939_session_list_unlock(session->priv);

	j1939_session_list_unlock(session->priv);



	if (!session->sk)

		j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);

}

}





static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer)

static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer)
@@ -1253,6 +1254,9 @@ static enum hrtimer_restart j1939_tp_rxtimer(struct hrtimer *hrtimer) 
			__j1939_session_cancel(session, J1939_XTP_ABORT_TIMEOUT);

			__j1939_session_cancel(session, J1939_XTP_ABORT_TIMEOUT);

		}

		}

		j1939_session_list_unlock(session->priv);

		j1939_session_list_unlock(session->priv);



		if (!session->sk)

			j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);

	}

	}





	j1939_session_put(session);

	j1939_session_put(session);