From patchwork Thu Nov 26 19:21:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oliver Hartkopp X-Patchwork-Id: 11934629 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ABB04C63697 for ; Thu, 26 Nov 2020 19:22:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5D4E8206B2 for ; Thu, 26 Nov 2020 19:22:06 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=hartkopp.net header.i=@hartkopp.net header.b="g6DJLcgS" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404364AbgKZTVu (ORCPT ); Thu, 26 Nov 2020 14:21:50 -0500 Received: from mo4-p01-ob.smtp.rzone.de ([85.215.255.52]:27989 "EHLO mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731736AbgKZTVu (ORCPT ); Thu, 26 Nov 2020 14:21:50 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1606418508; s=strato-dkim-0002; d=hartkopp.net; h=Message-Id:Date:Subject:Cc:To:From:X-RZG-CLASS-ID:X-RZG-AUTH:From: Subject:Sender; bh=auFNMuUKo/sAb8aIEJr26iC3nfJ6C+wXjXg9088Jfn8=; b=g6DJLcgScqWk3lSCgwsNWNohW17wmdjL5YQ8n5hViXxcPpCHGPWlFU0YwwDF0l+qMP apO1KBZP/NAi9cM4au8GUj/Mp5KWL7/j3P3qoKpTQ+yU4PkXZx+GQDVY4C9DSNp2rfc1 qYFms1pXPNilyEdx5wNd0mg2dc3WQxvEIx3h0isuiJomVRgxVmICe/qgbu+ncpwHjcTI FZOSj4qIySGDM2SoOzFED8m3IZgdgGZPk8DrMgjVrToSZBLQXdjAABdQKdD7zsY5UbNr mnv6KfjJrl9SvrYo00NosrlrJXYMjYS+KCjGJk3BXajbBir28y9AVUgYEq9hvJr/N0r3 Fdwg== X-RZG-AUTH: ":P2MHfkW8eP4Mre39l357AZT/I7AY/7nT2yrDxb8mjGrp7owjzFK3JbFk1mS0lu8GW276Zq2NBHY=" X-RZG-CLASS-ID: mo00 Received: from silver.lan by smtp.strato.de (RZmta 47.3.4 DYNA|AUTH) with ESMTPSA id n07f3bwAQJLkunS (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Thu, 26 Nov 2020 20:21:46 +0100 (CET) From: Oliver Hartkopp To: mkl@pengutronix.de, dvyukov@google.com, netdev@vger.kernel.org, linux-can@vger.kernel.org Cc: syzkaller-bugs@googlegroups.com, Oliver Hartkopp , syzbot+381d06e0c8eaacb8706f@syzkaller.appspotmail.com, syzbot+d0ddd88c9a7432f041e6@syzkaller.appspotmail.com, syzbot+76d62d3b8162883c7d11@syzkaller.appspotmail.com Subject: [PATCH] can: remove WARN() statement from list operation sanity check Date: Thu, 26 Nov 2020 20:21:40 +0100 Message-Id: <20201126192140.14350-1-socketcan@hartkopp.net> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org To detect potential bugs in CAN protocol implementations (double removal of receiver entries) a WARN() statement has been used if no matching list item was found for removal. The fault injection issued by syzkaller was able to create a situation where the closing of a socket runs simultaneously to the notifier call chain for removing the CAN network device in use. This case is very unlikely in real life but it doesn't break anything. Therefore we just replace the WARN() statement with pr_warn() to preserve the notification for the CAN protocol development. Reported-by: syzbot+381d06e0c8eaacb8706f@syzkaller.appspotmail.com Reported-by: syzbot+d0ddd88c9a7432f041e6@syzkaller.appspotmail.com Reported-by: syzbot+76d62d3b8162883c7d11@syzkaller.appspotmail.com Signed-off-by: Oliver Hartkopp --- net/can/af_can.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/can/af_can.c b/net/can/af_can.c index 5d124c155904..7c5ccdec89e1 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -539,14 +539,17 @@ void can_rx_unregister(struct net *net, struct net_device *dev, canid_t can_id, break; } /* Check for bugs in CAN protocol implementations using af_can.c: * 'rcv' will be NULL if no matching list item was found for removal. + * As this case may potentially happen when closing a socket while + * the notifier for removing the CAN netdev is running we just print + * a warning here. Reported by syskaller (see commit message) */ if (!rcv) { - WARN(1, "BUG: receive list entry not found for dev %s, id %03X, mask %03X\n", - DNAME(dev), can_id, mask); + pr_warn("can: receive list entry not found for dev %s, id %03X, mask %03X\n", + DNAME(dev), can_id, mask); goto out; } hlist_del_rcu(&rcv->list); dev_rcv_lists->entries--;