Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1751004pxb; Mon, 11 Oct 2021 12:16:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyMLAs7mcnD9EpDf9++Us1wIavxZpQLaDh6cFh+s8wviqGM3X9ToeFQ/IWsdKu3e5eeFvPR X-Received: by 2002:a62:5804:0:b0:44b:b75b:ec8f with SMTP id m4-20020a625804000000b0044bb75bec8fmr27423766pfb.63.1633979794731; Mon, 11 Oct 2021 12:16:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633979794; cv=none; d=google.com; s=arc-20160816; b=f9gvJ8hKMvnCDkjavGkUjwBzWgnIcv2lHnPQALM7WXkeG7YrHaLzn2DFnEerhBfUfW GuBPlaPt6g92SEdJ+GURlliDOXx7DIG/0kRbop7n7jp/8eFhn0utjn7Lppn29hxos353 8hgHPDvrAdqF5JJsEDzIyrYzQmFHhb0ooJ5j9MufL/g8BK0DfO78J0UYANcz1AP2IuOk iGmgscMetH4wadu1umSPMrDUjkuicZwNSHMA0N0bZehu7uXAEhVX8SpJguqyItl8Hubd d+3R2i3Oys8j9q1yFGQojgNztqxp4ATV6kq0iZfvpZsAfylKXism1sMmMBlXKa0zarzg aKww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=isDX4gxvzsSFnMxjqxVHmA92I/egBpGCy8mWWkvJadU=; b=KRX1b0w0W0mt5Hu+FNvl15xwmOYufYY/eGoLAbsf2CaK+JRO7Pod6qI6ByE+ZO4aHC I7sxGtWplPHhAVOazADtlD0KTiUQvgGNqLBeQ83bNgRD/SwGkHjob1TQleIRQnrU58nz jBoWs5zLmuMQtmhoj2h+Mz1p1LXnZzQ1P9n7icBn+G9N5LAPEtwgYKH5E+uqcy9oeltO cmQqV11Qh4K5DL0mR8gGbnFGm3BmlBkWE1nYChv0YfTJQQcVC2kKdlwTyhYsWEaN0+if k6BlOqOwvF5rGlDuBubqNeKEjGVk8tQI7P73xsJGPc+tS3keIxLkYpzZzyJ6p4RZSk+M eS7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@hartkopp.net header.s=strato-dkim-0002 header.b=Oewhzq1o; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q91si503230pja.33.2021.10.11.12.16.21; Mon, 11 Oct 2021 12:16:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@hartkopp.net header.s=strato-dkim-0002 header.b=Oewhzq1o; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234586AbhJKTQB (ORCPT + 99 others); Mon, 11 Oct 2021 15:16:01 -0400 Received: from mo4-p01-ob.smtp.rzone.de ([85.215.255.52]:27314 "EHLO mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234447AbhJKTQA (ORCPT ); Mon, 11 Oct 2021 15:16:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1633979453; s=strato-dkim-0002; d=hartkopp.net; h=In-Reply-To:Date:Message-ID:From:References:Cc:To:Subject:Cc:Date: From:Subject:Sender; bh=isDX4gxvzsSFnMxjqxVHmA92I/egBpGCy8mWWkvJadU=; b=Oewhzq1o0y5xPL4Z5eBmpJL2mQ8lqCqxzkVQ8xZngFB7hzuDc3HGeK/v9/ZeqL38qm WkaMLty7x81AYKIZUT+JJVnOl3lrrQjx5TAy1lbCek4RXj9RXhrodYk8vnoVwrERQeEB 4k9jk/4/3ajcqzfcNgVzviEwjIpYtnGBgcP0anGVr4K3OFm57E167FLrbfG20i7+jDBr SxyHvJTc1s5EGs2plx7rUWwvh0UTki1SCJZ/jBwxfMzHvo82HZZBj/0NUFomyVHKOA5i CcFVBQ1ZTXojkJKnE+6ycO+V17VplMcIVnuUULK+NFHHiaPcvc8JFkMR2slwWF6cJlIT Jzow== Authentication-Results: strato.com; dkim=none X-RZG-AUTH: ":P2MHfkW8eP4Mre39l357AZT/I7AY/7nT2yrDxb8mjG14FZxedJy6qgO1qCHSa1GLptZHusx3hdd0DIgVvBOfXT2V6Q==" X-RZG-CLASS-ID: mo00 Received: from [IPv6:2a00:6020:1cfa:f904::b82] by smtp.strato.de (RZmta 47.33.8 AUTH) with ESMTPSA id 900f80x9BJAqwnd (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Mon, 11 Oct 2021 21:10:52 +0200 (CEST) Subject: Re: [PATCH net v2 1/2] can: isotp: add result check for wait_event_interruptible() To: Ziyang Xuan , mkl@pengutronix.de Cc: davem@davemloft.net, kuba@kernel.org, linux-can@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <10ca695732c9dd267c76a3c30f37aefe1ff7e32f.1633764159.git.william.xuanziyang@huawei.com> From: Oliver Hartkopp Message-ID: Date: Mon, 11 Oct 2021 21:10:46 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: <10ca695732c9dd267c76a3c30f37aefe1ff7e32f.1633764159.git.william.xuanziyang@huawei.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 09.10.21 09:40, Ziyang Xuan wrote: > Using wait_event_interruptible() to wait for complete transmission, > but do not check the result of wait_event_interruptible() which can > be interrupted. It will result in tx buffer has multiple accessers > and the later process interferes with the previous process. > > Following is one of the problems reported by syzbot. > > ============================================================= > WARNING: CPU: 0 PID: 0 at net/can/isotp.c:840 isotp_tx_timer_handler+0x2e0/0x4c0 > CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc7+ #68 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 > RIP: 0010:isotp_tx_timer_handler+0x2e0/0x4c0 > Call Trace: > > ? isotp_setsockopt+0x390/0x390 > __hrtimer_run_queues+0xb8/0x610 > hrtimer_run_softirq+0x91/0xd0 > ? rcu_read_lock_sched_held+0x4d/0x80 > __do_softirq+0xe8/0x553 > irq_exit_rcu+0xf8/0x100 > sysvec_apic_timer_interrupt+0x9e/0xc0 > > asm_sysvec_apic_timer_interrupt+0x12/0x20 > > Add result check for wait_event_interruptible() in isotp_sendmsg() > to avoid multiple accessers for tx buffer. > > Reported-by: syzbot+78bab6958a614b0c80b9@syzkaller.appspotmail.com > Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") > Signed-off-by: Ziyang Xuan Acked-by: Oliver Hartkopp Many thanks! Oliver > --- > net/can/isotp.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/can/isotp.c b/net/can/isotp.c > index caaa532ece94..2ac29c2b2ca6 100644 > --- a/net/can/isotp.c > +++ b/net/can/isotp.c > @@ -865,7 +865,9 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) > return -EAGAIN; > > /* wait for complete transmission of current pdu */ > - wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE); > + err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE); > + if (err) > + return err; > } > > if (!size || size > MAX_MSG_LENGTH) >