Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3443656ybl; Tue, 21 Jan 2020 00:31:56 -0800 (PST) X-Google-Smtp-Source: APXvYqwB5dmRcT+xWbohTSDYR8TwiljBGrK09isd2+tz+RunYwhMouEVfYJXwa+ZF/GOr1ssFmJg X-Received: by 2002:a9d:624e:: with SMTP id i14mr2751856otk.371.1579595516334; Tue, 21 Jan 2020 00:31:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579595516; cv=none; d=google.com; s=arc-20160816; b=qckxL3IkxQjH7a3lIVEDlFE9PX3CkJ4Yl2PN3tBPOb83MPkAhzyN4IRo1LsVWIAI49 icxAfDHbi3gOwKsnIkl4G5zG8WvMBeXmS0Z1VU/RUjClre1MwW2BgzYzgi0Gurr8FVzp 8srCHO07xhplU+sjoqjpGcmgfTNkJB8gj3drv1yNw/oU69tERSJvjdTenolU7GD/YyzI EHtTVG0VNNU+rBMqfzvAEbnMzlOBwUnjwRKK/MdKCZ8uDJF8HreB1v5l17fjjor3f8cj CO8SB3VWxl+8o4STE9Mfk8ZQZK2ZaOpW0BkxAAMKnM4hFOLt75mFgy9kKF8E+2LnddRG HKVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:mail-followup-to:message-id:subject:cc:to:from:date; bh=r9SWC8B9GDNl4jvGZgx17oPZzQqwuOLPYwuCFYX0gl4=; b=bHnHHbXTwpeoRad9Hje1VEaWPt+iWb9qcUclGgNdMGwFIlNi7aAPubf0H87BCV/ODE o6ey/5/+/uzkm/2yHxDJOgfrlKAip/bMrm+Rt28y/IA4x6ZiZKWm0XZYbssaAqiSSe1s iZeWucp8Ff/3mz9nIRYUhzclNQDXbN5ODUZ7XzPP/THgV0+0qS70fUiCGuVmGFQ+xxAO BBMGRnmR1vViMeyY4JvIIxpp0f00t8iSTV8ia23X1Zoc+C4sumX7BtKbZht5f89c1CXF dcHsrpjkoT3ErNyVq5reUYv5A4sdZGDS0lHekphB7AneU3BpBl3fKRDo981TR3EoI0Sn XNZQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w11si19312538oic.62.2020.01.21.00.31.44; Tue, 21 Jan 2020 00:31:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725890AbgAUIas convert rfc822-to-8bit (ORCPT + 99 others); Tue, 21 Jan 2020 03:30:48 -0500 Received: from relay-b01.edpnet.be ([212.71.1.221]:58701 "EHLO relay-b01.edpnet.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726911AbgAUIas (ORCPT ); Tue, 21 Jan 2020 03:30:48 -0500 X-ASG-Debug-ID: 1579595444-0a7ff5137c3b1e810001-xx1T2L Received: from zotac.vandijck-laurijssen.be ([77.109.89.38]) by relay-b01.edpnet.be with ESMTP id jSHJfcOBIiAaokUu; Tue, 21 Jan 2020 09:30:44 +0100 (CET) X-Barracuda-Envelope-From: dev.kurt@vandijck-laurijssen.be X-Barracuda-Effective-Source-IP: UNKNOWN[77.109.89.38] X-Barracuda-Apparent-Source-IP: 77.109.89.38 Received: from x1.vandijck-laurijssen.be (74.250-240-81.adsl-static.isp.belgacom.be [81.240.250.74]) by zotac.vandijck-laurijssen.be (Postfix) with ESMTPSA id AEFB2C67EEC; Tue, 21 Jan 2020 09:30:44 +0100 (CET) Date: Tue, 21 Jan 2020 09:30:35 +0100 From: Kurt Van Dijck To: Oliver Hartkopp Cc: Dmitry Vyukov , Marc Kleine-Budde , o.rempel@pengutronix.de, syzbot , David Miller , linux-can@vger.kernel.org, LKML , netdev , syzkaller-bugs Subject: Re: general protection fault in can_rx_register Message-ID: <20200121083035.GD14537@x1.vandijck-laurijssen.be> X-ASG-Orig-Subj: Re: general protection fault in can_rx_register Mail-Followup-To: Oliver Hartkopp , Dmitry Vyukov , Marc Kleine-Budde , o.rempel@pengutronix.de, syzbot , David Miller , linux-can@vger.kernel.org, LKML , netdev , syzkaller-bugs References: <00000000000030dddb059c562a3f@google.com> <55ad363b-1723-28aa-78b1-8aba5565247e@hartkopp.net> <20200120091146.GD11138@x1.vandijck-laurijssen.be> <8332ec7f-2235-fdf6-9bda-71f789c57b37@hartkopp.net> <2a676c0e-20f2-61b5-c72b-f51947bafc7d@hartkopp.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8BIT In-Reply-To: <2a676c0e-20f2-61b5-c72b-f51947bafc7d@hartkopp.net> User-Agent: Mutt/1.5.22 (2013-10-16) X-Barracuda-Connect: UNKNOWN[77.109.89.38] X-Barracuda-Start-Time: 1579595444 X-Barracuda-URL: https://212.71.1.221:443/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at edpnet.be X-Barracuda-Scan-Msg-Size: 3259 X-Barracuda-BRTS-Status: 1 X-Barracuda-Bayes: SPAM GLOBAL 0.9309 1.0000 3.5604 X-Barracuda-Spam-Score: 3.56 X-Barracuda-Spam-Status: No, SCORE=3.56 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=7.0 tests= X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.79477 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On ma, 20 jan 2020 23:35:16 +0100, Oliver Hartkopp wrote: > Answering myself ... > > On 20/01/2020 23.02, Oliver Hartkopp wrote: > > > > >Added some code to check whether dev->ml_priv is NULL: > > > >~/linux$ git diff > >diff --git a/net/can/af_can.c b/net/can/af_can.c > >index 128d37a4c2e0..6fb4ae4c359e 100644 > >--- a/net/can/af_can.c > >+++ b/net/can/af_can.c > >@@ -463,6 +463,10 @@ int can_rx_register(struct net *net, struct > >net_device *dev, canid_t can_id, > >         spin_lock_bh(&net->can.rcvlists_lock); > > > >         dev_rcv_lists = can_dev_rcv_lists_find(net, dev); > >+       if (!dev_rcv_lists) { > >+               pr_err("dev_rcv_lists == NULL! %p\n", dev); > >+               goto out_unlock; > >+       } > >         rcv_list = can_rcv_list_find(&can_id, &mask, dev_rcv_lists); > > > >         rcv->can_id = can_id; > >@@ -479,6 +483,7 @@ int can_rx_register(struct net *net, struct net_device > >*dev, canid_t can_id, > >         rcv_lists_stats->rcv_entries++; > >         rcv_lists_stats->rcv_entries_max = > >max(rcv_lists_stats->rcv_entries_max, > > > >rcv_lists_stats->rcv_entries); > >+out_unlock: > >         spin_unlock_bh(&net->can.rcvlists_lock); > > > >         return err; > > > >And the output (after some time) is: > > > >[  758.505841] netlink: 'crash': attribute type 1 has an invalid length. > >[  758.508045] bond7148: (slave vxcan1): The slave device specified does > >not support setting the MAC address > >[  758.508057] bond7148: (slave vxcan1): Error -22 calling dev_set_mtu > >[  758.532025] bond10413: (slave vxcan1): The slave device specified does > >not support setting the MAC address > >[  758.532043] bond10413: (slave vxcan1): Error -22 calling dev_set_mtu > >[  758.532254] dev_rcv_lists == NULL! 000000006b9d257f > >[  758.547392] netlink: 'crash': attribute type 1 has an invalid length. > >[  758.549310] bond7145: (slave vxcan1): The slave device specified does > >not support setting the MAC address > >[  758.549313] bond7145: (slave vxcan1): Error -22 calling dev_set_mtu > >[  758.550464] netlink: 'crash': attribute type 1 has an invalid length. > >[  758.552301] bond7146: (slave vxcan1): The slave device specified does > >not support setting the MAC address > > > >So we can see that we get a ml_priv pointer which is NULL which should not > >be possible due to this: > > > >https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/can/dev.c#n743 > > This reference doesn't point to the right code as vxcan has its own handling > do assign ml_priv in vxcan.c . > > >Btw. the variable 'size' is set two times at the top of alloc_candev_mqs() > >depending on echo_skb_max. This looks wrong. > > No. It looks right as I did not get behind the ALIGN() macro at first sight. > > But it is still open why dev->ml_priv is not set correctly in vxcan.c as all > the settings for .priv_size and in vxcan_setup look fine. Maybe I got completely lost: Shouldn't can_ml_priv and vxcan_priv not be similar? Where is the dev_rcv_lists in the vxcan case? > > Best regards, > Oliver