Merge tag 'linux-can-fixes-for-6.3-20230327' of...

Merge tag 'linux-can-fixes-for-6.3-20230327' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2023-03-27 Oleksij Rempel and Hillf Danton contribute a patch for the CAN J1939 protocol that prevents a potential deadlock in j1939_sk_errqueue(). Ivan Orlov fixes an uninit-value in the CAN BCM protocol in the bcm_tx_setup() function. * tag 'linux-can-fixes-for-6.3-20230327' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can: can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write can: j1939: prevent deadlock by moving j1939_sk_errqueue() ==================== Link: https://lore.kernel.org/r/20230327124807.1157134-1-mkl@pengutronix.deSigned-off-by: Jakub Kicinski <kuba@kernel.org>

Merge tag 'linux-can-fixes-for-6.3-20230327' of...
Merge tag 'linux-can-fixes-for-6.3-20230327' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2023-03-27 Oleksij Rempel and Hillf Danton contribute a patch for the CAN J1939 protocol that prevents a potential deadlock in j1939_sk_errqueue(). Ivan Orlov fixes an uninit-value in the CAN BCM protocol in the bcm_tx_setup() function. * tag 'linux-can-fixes-for-6.3-20230327' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can: can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write can: j1939: prevent deadlock by moving j1939_sk_errqueue() ==================== Link: https://lore.kernel.org/r/20230327124807.1157134-1-mkl@pengutronix.deSigned-off-by: Jakub Kicinski <kuba@kernel.org>
ebd3b826 · Jakub Kicinski · 4f7702ab · 2b4c99f7 · ebd3b826 · ebd3b826
Commit ebd3b826 authored Mar 27, 2023 by Jakub Kicinski
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 8 deletions

net/can/bcm.c net/can/bcm.c +10 -6

net/can/j1939/transport.c net/can/j1939/transport.c +6 -2

No files found.
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -941,6 +941,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,

 			cf = op->frames + op->cfsiz * i;
 			err = memcpy_from_msg((u8 *)cf, msg, op->cfsiz);
+			if (err < 0)
+				goto free_op;

 			if (op->flags & CAN_FD_FRAME) {
 				if (cf->len > 64)
@@ -950,12 +952,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
 					err = -EINVAL;
 			}

-			if (err < 0) {
-				if (op->frames != &op->sframe)
-					kfree(op->frames);
-				kfree(op);
-				return err;
-			}
+			if (err < 0)
+				goto free_op;

 			if (msg_head->flags & TX_CP_CAN_ID) {
 				/* copy can_id into frame */
@@ -1026,6 +1024,12 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
 		bcm_tx_start_timer(op);

 	return msg_head->nframes * op->cfsiz + MHSIZ;
+
+free_op:
+	if (op->frames != &op->sframe)
+		kfree(op->frames);
+	kfree(op);
+	return err;
 }

 /*

--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1124,8 +1124,6 @@ static void __j1939_session_cancel(struct j1939_session *session,

 	if (session->sk)
 		j1939_sk_send_loop_abort(session->sk, session->err);
-	else
-		j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);
 }

 static void j1939_session_cancel(struct j1939_session *session,
@@ -1140,6 +1138,9 @@ static void j1939_session_cancel(struct j1939_session *session,
 	}

 	j1939_session_list_unlock(session->priv);
+
+	if (!session->sk)
+		j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);
 }

 static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer)
@@ -1253,6 +1254,9 @@ static enum hrtimer_restart j1939_tp_rxtimer(struct hrtimer *hrtimer)
 			__j1939_session_cancel(session, J1939_XTP_ABORT_TIMEOUT);
 		}
 		j1939_session_list_unlock(session->priv);
+
+		if (!session->sk)
+			j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);
 	}

 	j1939_session_put(session);