Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp5335088pxv; Wed, 21 Jul 2021 03:00:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzoZPVnelEH1qJemd/De/CScTA70LQRDnMn6MwExrTpgcXLVZ1lQyiJ5HLWLy+hul3+6P6V X-Received: by 2002:a02:cb92:: with SMTP id u18mr24949269jap.78.1626861616916; Wed, 21 Jul 2021 03:00:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626861616; cv=none; d=google.com; s=arc-20160816; b=XCfwqwfzmvpJE/MStA2/IHk00T+JaZVhYiDDePbgY4Ij49bMGmgwNspKFlE1GmssVx 4mAihnqvL0RbLff0ELoh+kNWBlYV4ivx9J/uqeOuummWfZidkr3MqQpEOOf9yYLsUTv7 rgSLtG4CtLezSE2TEFbb/P4ZlDs8+7uaxsNAFzbQiW5UdaXmRkNLY0j5+qvvzBvOQUKj guRO88vQL2BosHrSE91wBeqOn6pd0WsrJ3rUaLY9eIiaZb5kpXTCJu6rBb9Pd4Qfce4C qYa3dE9liMn95RueMdce8mGg3L60aDS+5NpW9Wb5FxMe+rPbkIbewFY5N2YRQkWBaxn3 BAkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=lHplhRl0hkb8uudRlEZcdLXXxlm5Jp61m2gLulf4k6E=; b=ryZEhUx8pqV7VKCvyBPH1obE2bLOH75RVbe39fY/eommQk/euAfieGgSkNpmRu1L4I rfbck9nn1dpo+1Qy0Be7qga277SX74nculqbOy61XQ7gFZ5hkgZYYlo7p5P9blO0QJ40 JP5LpJgcE98b4gS6uaCGnbHMByhwMEkFdXzrIJ7no4qZZHJz7o2PSsWnNh7a6+2gIJVY khMylsEGz8oSga1ft+OXfutzj8Q5unOjh+ecBNYU+JniGAMLUpU+HF2qXJ6Xbyoa6JZP q/IAKiwBmzEULrCj5Kq4rCXkxCtwSyfx81fKlIbiCo0s5/Jqnr+8hklDwR4CKoL7SDVX BRuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@hartkopp.net header.s=strato-dkim-0002 header.b=nP62UfZ7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x12si16429786ilm.5.2021.07.21.03.00.05; Wed, 21 Jul 2021 03:00:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@hartkopp.net header.s=strato-dkim-0002 header.b=nP62UfZ7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231996AbhGUJQc (ORCPT + 99 others); Wed, 21 Jul 2021 05:16:32 -0400 Received: from mo4-p01-ob.smtp.rzone.de ([81.169.146.166]:23941 "EHLO mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237306AbhGUJFR (ORCPT ); Wed, 21 Jul 2021 05:05:17 -0400 X-Greylist: delayed 11355 seconds by postgrey-1.27 at vger.kernel.org; Wed, 21 Jul 2021 05:05:16 EDT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1626860714; s=strato-dkim-0002; d=hartkopp.net; h=In-Reply-To:Date:Message-ID:From:References:Cc:To:Subject:Cc:Date: From:Subject:Sender; bh=lHplhRl0hkb8uudRlEZcdLXXxlm5Jp61m2gLulf4k6E=; b=nP62UfZ7YNpBZJ3TN3lGUhPIVmtF/uVbn5NzJh4JmxfLibJYRObztKEOLNXh+tSVSP ZYm9e0lKDRgz4x6CNPJPyCGP4PNFiCyQuuG0+iQgeYwyDp0lOAlie2en3MWnRpq2sHgf OLsQujeTqEWq31OlAJLkfl4eVEQNnf6LTiEIJgR+LAuaZWxat5FXw0oRDEpVPI47auvf xR9hEuqZw+pIIC3lO0Pjjpa0a4xP50ztIx4MSUkqcV8NAyzuuMFw360t2GKTKHrIl0aQ 6IqU0RtQl/Xr5kyMvw9Rq/8XocxjzYRJzhU7zvzyoLmXQaq15ZrnCNL2SjYR/3FTwgW9 00/A== Authentication-Results: strato.com; dkim=none X-RZG-AUTH: ":P2MHfkW8eP4Mre39l357AZT/I7AY/7nT2yrDxb8mjG14FZxedJy6qgO1qCHSa1GLptZHusx3htNmYasgbo6AhaFdcg==" X-RZG-CLASS-ID: mo00 Received: from [IPv6:2a00:6020:1cee:8300::b82] by smtp.strato.de (RZmta 47.28.1 AUTH) with ESMTPSA id Z03199x6L9jDHLB (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Wed, 21 Jul 2021 11:45:13 +0200 (CEST) Subject: Re: [PATCH net] can: raw: fix raw_rcv panic for sock UAF To: "Ziyang Xuan (William)" , Greg KH Cc: davem@davemloft.net, kuba@kernel.org, mkl@pengutronix.de, netdev@vger.kernel.org, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org References: <20210721010937.670275-1-william.xuanziyang@huawei.com> <44c3e0e2-03c5-80e5-001c-03e7e9758bca@hartkopp.net> From: Oliver Hartkopp Message-ID: <4d91f7bd-eef2-0b1a-f44f-d2006c465422@hartkopp.net> Date: Wed, 21 Jul 2021 11:45:13 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 21.07.21 11:29, Ziyang Xuan (William) wrote: > On 7/21/2021 2:35 PM, Oliver Hartkopp wrote: >> >> >> On 21.07.21 06:53, Greg KH wrote: >>> On Wed, Jul 21, 2021 at 09:09:37AM +0800, Ziyang Xuan wrote: >>>> We get a bug during ltp can_filter test as following. >>>> >>>> =========================================== >>>> [60919.264984] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 >>>> [60919.265223] PGD 8000003dda726067 P4D 8000003dda726067 PUD 3dda727067 PMD 0 >>>> [60919.265443] Oops: 0000 [#1] SMP PTI >>>> [60919.265550] CPU: 30 PID: 3638365 Comm: can_filter Kdump: loaded Tainted: G        W         4.19.90+ #1 >> >> This kernel version 4.19.90 is definitely outdated. >> >> Can you please check your issue with the latest uptream kernel as this problem should have been fixed with this patch: >> >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8d0caedb759683041d9db82069937525999ada53 >> ("can: bcm/raw/isotp: use per module netdevice notifier") >> >> Thanks! > > I have tested it under the latest 5.14-rc2 kernel version which includes commit 8d0caedb7596 before I submit the patch. > Although I failed to get the vmcore-dmesg file after updating the kernel version to 5.14-rc2 to display here. > But we can get the conclusion according to the following debug messages and my problem analysis. > > ========================================== > [ 1048.953574] unlist_netdevice name[vcan0] > [ 1048.953661] raw_notify 283: enter, waiting > [ 1050.950967] raw_setsockopt 552: ro->bound[1] ro->ifindex[8] sk[ffff9420c5699800] > [ 1053.956002] can: receive list entry not found for dev any, id 000, mask 000 > [ 1053.961989] can: receive list entry not found for dev vcan0, id 123, mask 7FF > > raw_setsockopt() executes after unlist_netdevice() and before raw_notify(). > The problem always exists. > You are right! In the meantime I sent a new reply to your original patch here: https://lore.kernel.org/linux-can/11822417-5931-b2d8-ae77-ec4a84b8b895@hartkopp.net/ Thanks!