qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

can: isotp: fix error path in isotp_sendmsg() to unlock wait queue 

JIRA: https://issues.redhat.com/browse/RHEL-39584

commit 8375dfac4f683e1b2c5956d919d36aeedad46699
Author: Oliver Hartkopp <socketcan@hartkopp.net>
Date:   Wed Feb 9 08:36:01 2022 +0100

    can: isotp: fix error path in isotp_sendmsg() to unlock wait queue

    Commit 43a08c3bdac4 ("can: isotp: isotp_sendmsg(): fix TX buffer concurrent
    access in isotp_sendmsg()") introduced a new locking scheme that may render
    the userspace application in a locking state when an error is detected.
    This issue shows up under high load on simultaneously running isotp channels
    with identical configuration which is against the ISO specification and
    therefore breaks any reasonable PDU communication anyway.

    Fixes: 43a08c3bdac4 ("can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg()")
    Link: https://lore.kernel.org/all/20220209073601.25728-1-socketcan@hartkopp.net
    Cc: stable@vger.kernel.org
    Cc: Ziyang Xuan <william.xuanziyang@huawei.com>
    Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

Signed-off-by: Radu Rendec <rrendec@redhat.com>
This commit is contained in:
Radu Rendec 2024-06-07 17:37:44 -04:00
parent 38a305c42b
commit 9f7973dd03
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
net/can/isotp.c
View File

@ -876,7 +876,7 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
if (!size || size > MAX_MSG_LENGTH) {
err = -EINVAL;
goto err_out;
goto err_out_drop;
}
/* take care of a potential SF_DL ESC offset for TX_DL > 8 */
@ -886,24 +886,24 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
if ((so->opt.flags & CAN_ISOTP_SF_BROADCAST) &&
(size > so->tx.ll_dl - SF_PCI_SZ4 - ae - off)) {
err = -EINVAL;
goto err_out;
goto err_out_drop;
}
err = memcpy_from_msg(so->tx.buf, msg, size);
if (err < 0)
goto err_out;
goto err_out_drop;
dev = dev_get_by_index(sock_net(sk), so->ifindex);
if (!dev) {
err = -ENXIO;
goto err_out;
goto err_out_drop;
}
skb = sock_alloc_send_skb(sk, so->ll.mtu + sizeof(struct can_skb_priv),
msg->msg_flags & MSG_DONTWAIT, &err);
if (!skb) {
dev_put(dev);
goto err_out;
goto err_out_drop;
}
can_skb_reserve(skb);
@ -965,7 +965,7 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
if (err) {
pr_notice_once("can-isotp: %s: can_send_ret %pe\n",
__func__, ERR_PTR(err));
goto err_out;
goto err_out_drop;
}
if (wait_tx_done) {
@ -978,6 +978,9 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
return size;
err_out_drop:
/* drop this PDU and unlock a potential wait queue */
old_state = ISOTP_IDLE;
err_out:
so->tx.state = old_state;
if (so->tx.state == ISOTP_IDLE)