2020-04-03 15:37:41 +08:00
|
|
|
// SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
|
2019-07-24 20:16:29 +08:00
|
|
|
/* raw.c - Raw sockets for protocol family CAN
|
2007-11-17 07:53:09 +08:00
|
|
|
*
|
|
|
|
* Copyright (c) 2002-2007 Volkswagen Group Electronic Research
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 3. Neither the name of Volkswagen nor the names of its contributors
|
|
|
|
* may be used to endorse or promote products derived from this software
|
|
|
|
* without specific prior written permission.
|
|
|
|
*
|
|
|
|
* Alternatively, provided that this notice is retained in full, this
|
|
|
|
* software may be distributed under the terms of the GNU General
|
|
|
|
* Public License ("GPL") version 2, in which case the provisions of the
|
|
|
|
* GPL apply INSTEAD OF those given above.
|
|
|
|
*
|
|
|
|
* The provided data structures and external interfaces from this code
|
|
|
|
* are not restricted to be used by modules with a GPL compatible license.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
|
|
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
|
|
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
|
|
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
|
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
|
|
|
|
* DAMAGE.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/uio.h>
|
|
|
|
#include <linux/net.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 16:04:11 +08:00
|
|
|
#include <linux/slab.h>
|
2007-11-17 07:53:09 +08:00
|
|
|
#include <linux/netdevice.h>
|
|
|
|
#include <linux/socket.h>
|
|
|
|
#include <linux/if_arp.h>
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
#include <linux/can.h>
|
|
|
|
#include <linux/can/core.h>
|
2022-09-13 01:07:25 +08:00
|
|
|
#include <linux/can/dev.h> /* for can_is_canxl_dev_mtu() */
|
2013-01-18 01:43:39 +08:00
|
|
|
#include <linux/can/skb.h>
|
2007-11-17 07:53:09 +08:00
|
|
|
#include <linux/can/raw.h>
|
|
|
|
#include <net/sock.h>
|
|
|
|
#include <net/net_namespace.h>
|
|
|
|
|
|
|
|
MODULE_DESCRIPTION("PF_CAN raw protocol");
|
|
|
|
MODULE_LICENSE("Dual BSD/GPL");
|
|
|
|
MODULE_AUTHOR("Urs Thuermann <urs.thuermann@volkswagen.de>");
|
2009-07-15 07:12:25 +08:00
|
|
|
MODULE_ALIAS("can-proto-1");
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2021-03-25 20:58:48 +08:00
|
|
|
#define RAW_MIN_NAMELEN CAN_REQUIRED_SIZE(struct sockaddr_can, can_ifindex)
|
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
#define MASK_ALL 0
|
|
|
|
|
2019-07-24 20:16:29 +08:00
|
|
|
/* A raw socket has a list of can_filters attached to it, each receiving
|
2007-11-17 07:53:09 +08:00
|
|
|
* the CAN frames matching that filter. If the filter list is empty,
|
|
|
|
* no CAN frames will be received by the socket. The default after
|
|
|
|
* opening the socket, is to have one filter which receives all frames.
|
|
|
|
* The filter list is allocated dynamically with the exception of the
|
|
|
|
* list containing only one item. This common case is optimized by
|
|
|
|
* storing the single filter in dfilter, to avoid using dynamic memory.
|
|
|
|
*/
|
|
|
|
|
2015-04-01 13:50:28 +08:00
|
|
|
struct uniqframe {
|
2015-06-26 17:58:19 +08:00
|
|
|
int skbcnt;
|
2015-04-01 13:50:28 +08:00
|
|
|
const struct sk_buff *skb;
|
2015-04-01 13:50:29 +08:00
|
|
|
unsigned int join_rx_count;
|
2015-04-01 13:50:28 +08:00
|
|
|
};
|
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
struct raw_sock {
|
|
|
|
struct sock sk;
|
|
|
|
int bound;
|
|
|
|
int ifindex;
|
can: raw: fix receiver memory leak
Got kmemleak errors with the following ltp can_filter testcase:
for ((i=1; i<=100; i++))
do
./can_filter &
sleep 0.1
done
==============================================================
[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
[<00000000fd468496>] do_syscall_64+0x33/0x40
[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
It's a bug in the concurrent scenario of unregister_netdevice_many()
and raw_release() as following:
cpu0 cpu1
unregister_netdevice_many(can_dev)
unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
net_set_todo(can_dev)
raw_release(can_socket)
dev = dev_get_by_index(, ro->ifindex); // dev == NULL
if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
raw_disable_allfilters(, dev, );
dev_put(dev);
}
...
ro->bound = 0;
...
call_netdevice_notifiers(NETDEV_UNREGISTER, )
raw_notify(, NETDEV_UNREGISTER, )
if (ro->bound) // invalid because ro->bound has been set 0
raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
Add a net_device pointer member in struct raw_sock to record bound
can_dev, and use rtnl_lock to serialize raw_socket members between
raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
ro->dev to decide whether to free receivers in dev_rcv_lists.
Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-07-11 09:17:37 +08:00
|
|
|
struct net_device *dev;
|
2021-06-05 18:26:35 +08:00
|
|
|
struct list_head notifier;
|
2007-11-17 07:53:09 +08:00
|
|
|
int loopback;
|
|
|
|
int recv_own_msgs;
|
2012-06-14 02:41:31 +08:00
|
|
|
int fd_frames;
|
2022-09-13 01:07:25 +08:00
|
|
|
int xl_frames;
|
2015-04-01 13:50:29 +08:00
|
|
|
int join_filters;
|
2007-11-17 07:53:09 +08:00
|
|
|
int count; /* number of active filters */
|
|
|
|
struct can_filter dfilter; /* default/single filter */
|
|
|
|
struct can_filter *filter; /* pointer to filter(s) */
|
|
|
|
can_err_mask_t err_mask;
|
2015-04-01 13:50:28 +08:00
|
|
|
struct uniqframe __percpu *uniq;
|
2007-11-17 07:53:09 +08:00
|
|
|
};
|
|
|
|
|
2021-06-05 18:26:35 +08:00
|
|
|
static LIST_HEAD(raw_notifier_list);
|
|
|
|
static DEFINE_SPINLOCK(raw_notifier_lock);
|
|
|
|
static struct raw_sock *raw_busy_notifier;
|
|
|
|
|
2019-07-24 20:16:29 +08:00
|
|
|
/* Return pointer to store the extra msg flags for raw_recvmsg().
|
2010-10-19 17:32:04 +08:00
|
|
|
* We use the space of one unsigned int beyond the 'struct sockaddr_can'
|
|
|
|
* in skb->cb.
|
|
|
|
*/
|
|
|
|
static inline unsigned int *raw_flags(struct sk_buff *skb)
|
|
|
|
{
|
2015-03-01 20:58:29 +08:00
|
|
|
sock_skb_cb_check_size(sizeof(struct sockaddr_can) +
|
|
|
|
sizeof(unsigned int));
|
2010-10-19 17:32:04 +08:00
|
|
|
|
|
|
|
/* return pointer after struct sockaddr_can */
|
|
|
|
return (unsigned int *)(&((struct sockaddr_can *)skb->cb)[1]);
|
|
|
|
}
|
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
static inline struct raw_sock *raw_sk(const struct sock *sk)
|
|
|
|
{
|
|
|
|
return (struct raw_sock *)sk;
|
|
|
|
}
|
|
|
|
|
2010-10-19 17:32:04 +08:00
|
|
|
static void raw_rcv(struct sk_buff *oskb, void *data)
|
2007-11-17 07:53:09 +08:00
|
|
|
{
|
|
|
|
struct sock *sk = (struct sock *)data;
|
|
|
|
struct raw_sock *ro = raw_sk(sk);
|
|
|
|
struct sockaddr_can *addr;
|
2010-10-19 17:32:04 +08:00
|
|
|
struct sk_buff *skb;
|
|
|
|
unsigned int *pflags;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2009-01-07 03:07:54 +08:00
|
|
|
/* check the received tx sock reference */
|
2010-10-19 17:32:04 +08:00
|
|
|
if (!ro->recv_own_msgs && oskb->sk == sk)
|
2009-01-07 03:07:54 +08:00
|
|
|
return;
|
|
|
|
|
2022-09-13 01:07:25 +08:00
|
|
|
/* make sure to not pass oversized frames to the socket */
|
2023-01-31 18:56:13 +08:00
|
|
|
if ((!ro->fd_frames && can_is_canfd_skb(oskb)) ||
|
|
|
|
(!ro->xl_frames && can_is_canxl_skb(oskb)))
|
2014-03-01 22:31:53 +08:00
|
|
|
return;
|
2012-06-14 02:41:31 +08:00
|
|
|
|
2015-04-01 13:50:28 +08:00
|
|
|
/* eliminate multiple filter matches for the same skb */
|
|
|
|
if (this_cpu_ptr(ro->uniq)->skb == oskb &&
|
2015-06-26 17:58:19 +08:00
|
|
|
this_cpu_ptr(ro->uniq)->skbcnt == can_skb_prv(oskb)->skbcnt) {
|
2022-08-27 15:20:11 +08:00
|
|
|
if (!ro->join_filters)
|
|
|
|
return;
|
|
|
|
|
|
|
|
this_cpu_inc(ro->uniq->join_rx_count);
|
|
|
|
/* drop frame until all enabled filters matched */
|
|
|
|
if (this_cpu_ptr(ro->uniq)->join_rx_count < ro->count)
|
2015-04-01 13:50:29 +08:00
|
|
|
return;
|
2015-04-01 13:50:28 +08:00
|
|
|
} else {
|
|
|
|
this_cpu_ptr(ro->uniq)->skb = oskb;
|
2015-06-26 17:58:19 +08:00
|
|
|
this_cpu_ptr(ro->uniq)->skbcnt = can_skb_prv(oskb)->skbcnt;
|
2015-04-01 13:50:29 +08:00
|
|
|
this_cpu_ptr(ro->uniq)->join_rx_count = 1;
|
|
|
|
/* drop first frame to check all enabled filters? */
|
|
|
|
if (ro->join_filters && ro->count > 1)
|
|
|
|
return;
|
2015-04-01 13:50:28 +08:00
|
|
|
}
|
|
|
|
|
2009-01-07 03:07:54 +08:00
|
|
|
/* clone the given skb to be able to enqueue it into the rcv queue */
|
2010-10-19 17:32:04 +08:00
|
|
|
skb = skb_clone(oskb, GFP_ATOMIC);
|
2009-01-07 03:07:54 +08:00
|
|
|
if (!skb)
|
|
|
|
return;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2020-09-16 06:34:56 +08:00
|
|
|
/* Put the datagram to the queue so that raw_recvmsg() can get
|
|
|
|
* it from there. We need to pass the interface index to
|
|
|
|
* raw_recvmsg(). We pass a whole struct sockaddr_can in
|
|
|
|
* skb->cb containing the interface index.
|
2007-11-17 07:53:09 +08:00
|
|
|
*/
|
|
|
|
|
2015-03-01 20:58:29 +08:00
|
|
|
sock_skb_cb_check_size(sizeof(struct sockaddr_can));
|
2007-11-17 07:53:09 +08:00
|
|
|
addr = (struct sockaddr_can *)skb->cb;
|
|
|
|
memset(addr, 0, sizeof(*addr));
|
2020-09-16 06:34:56 +08:00
|
|
|
addr->can_family = AF_CAN;
|
2007-11-17 07:53:09 +08:00
|
|
|
addr->can_ifindex = skb->dev->ifindex;
|
|
|
|
|
2010-10-19 17:32:04 +08:00
|
|
|
/* add CAN specific message flags for raw_recvmsg() */
|
|
|
|
pflags = raw_flags(skb);
|
|
|
|
*pflags = 0;
|
|
|
|
if (oskb->sk)
|
|
|
|
*pflags |= MSG_DONTROUTE;
|
|
|
|
if (oskb->sk == sk)
|
|
|
|
*pflags |= MSG_CONFIRM;
|
|
|
|
|
2008-02-08 10:05:04 +08:00
|
|
|
if (sock_queue_rcv_skb(sk, skb) < 0)
|
2007-11-17 07:53:09 +08:00
|
|
|
kfree_skb(skb);
|
|
|
|
}
|
|
|
|
|
2017-02-21 19:19:47 +08:00
|
|
|
static int raw_enable_filters(struct net *net, struct net_device *dev,
|
|
|
|
struct sock *sk, struct can_filter *filter,
|
|
|
|
int count)
|
2007-11-17 07:53:09 +08:00
|
|
|
{
|
|
|
|
int err = 0;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < count; i++) {
|
2017-02-21 19:19:47 +08:00
|
|
|
err = can_rx_register(net, dev, filter[i].can_id,
|
2007-11-17 07:53:09 +08:00
|
|
|
filter[i].can_mask,
|
2017-01-28 00:11:44 +08:00
|
|
|
raw_rcv, sk, "raw", sk);
|
2007-11-17 07:53:09 +08:00
|
|
|
if (err) {
|
|
|
|
/* clean up successfully registered filters */
|
|
|
|
while (--i >= 0)
|
2017-02-21 19:19:47 +08:00
|
|
|
can_rx_unregister(net, dev, filter[i].can_id,
|
2007-11-17 07:53:09 +08:00
|
|
|
filter[i].can_mask,
|
|
|
|
raw_rcv, sk);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2017-02-21 19:19:47 +08:00
|
|
|
static int raw_enable_errfilter(struct net *net, struct net_device *dev,
|
|
|
|
struct sock *sk, can_err_mask_t err_mask)
|
2007-11-17 07:53:09 +08:00
|
|
|
{
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
if (err_mask)
|
2017-02-21 19:19:47 +08:00
|
|
|
err = can_rx_register(net, dev, 0, err_mask | CAN_ERR_FLAG,
|
2017-01-28 00:11:44 +08:00
|
|
|
raw_rcv, sk, "raw", sk);
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2017-02-21 19:19:47 +08:00
|
|
|
static void raw_disable_filters(struct net *net, struct net_device *dev,
|
|
|
|
struct sock *sk, struct can_filter *filter,
|
|
|
|
int count)
|
2007-11-17 07:53:09 +08:00
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < count; i++)
|
2017-02-21 19:19:47 +08:00
|
|
|
can_rx_unregister(net, dev, filter[i].can_id,
|
|
|
|
filter[i].can_mask, raw_rcv, sk);
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
2017-02-21 19:19:47 +08:00
|
|
|
static inline void raw_disable_errfilter(struct net *net,
|
|
|
|
struct net_device *dev,
|
2007-11-17 07:53:09 +08:00
|
|
|
struct sock *sk,
|
|
|
|
can_err_mask_t err_mask)
|
|
|
|
|
|
|
|
{
|
|
|
|
if (err_mask)
|
2017-02-21 19:19:47 +08:00
|
|
|
can_rx_unregister(net, dev, 0, err_mask | CAN_ERR_FLAG,
|
2007-11-17 07:53:09 +08:00
|
|
|
raw_rcv, sk);
|
|
|
|
}
|
|
|
|
|
2017-02-21 19:19:47 +08:00
|
|
|
static inline void raw_disable_allfilters(struct net *net,
|
|
|
|
struct net_device *dev,
|
2007-11-17 07:53:09 +08:00
|
|
|
struct sock *sk)
|
|
|
|
{
|
|
|
|
struct raw_sock *ro = raw_sk(sk);
|
|
|
|
|
2017-02-21 19:19:47 +08:00
|
|
|
raw_disable_filters(net, dev, sk, ro->filter, ro->count);
|
|
|
|
raw_disable_errfilter(net, dev, sk, ro->err_mask);
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
2017-02-21 19:19:47 +08:00
|
|
|
static int raw_enable_allfilters(struct net *net, struct net_device *dev,
|
|
|
|
struct sock *sk)
|
2007-11-17 07:53:09 +08:00
|
|
|
{
|
|
|
|
struct raw_sock *ro = raw_sk(sk);
|
|
|
|
int err;
|
|
|
|
|
2017-02-21 19:19:47 +08:00
|
|
|
err = raw_enable_filters(net, dev, sk, ro->filter, ro->count);
|
2007-11-17 07:53:09 +08:00
|
|
|
if (!err) {
|
2017-02-21 19:19:47 +08:00
|
|
|
err = raw_enable_errfilter(net, dev, sk, ro->err_mask);
|
2007-11-17 07:53:09 +08:00
|
|
|
if (err)
|
2017-02-21 19:19:47 +08:00
|
|
|
raw_disable_filters(net, dev, sk, ro->filter,
|
|
|
|
ro->count);
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2021-06-05 18:26:35 +08:00
|
|
|
static void raw_notify(struct raw_sock *ro, unsigned long msg,
|
|
|
|
struct net_device *dev)
|
2007-11-17 07:53:09 +08:00
|
|
|
{
|
|
|
|
struct sock *sk = &ro->sk;
|
|
|
|
|
2017-02-21 19:19:47 +08:00
|
|
|
if (!net_eq(dev_net(dev), sock_net(sk)))
|
2021-06-05 18:26:35 +08:00
|
|
|
return;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
can: raw: fix receiver memory leak
Got kmemleak errors with the following ltp can_filter testcase:
for ((i=1; i<=100; i++))
do
./can_filter &
sleep 0.1
done
==============================================================
[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
[<00000000fd468496>] do_syscall_64+0x33/0x40
[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
It's a bug in the concurrent scenario of unregister_netdevice_many()
and raw_release() as following:
cpu0 cpu1
unregister_netdevice_many(can_dev)
unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
net_set_todo(can_dev)
raw_release(can_socket)
dev = dev_get_by_index(, ro->ifindex); // dev == NULL
if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
raw_disable_allfilters(, dev, );
dev_put(dev);
}
...
ro->bound = 0;
...
call_netdevice_notifiers(NETDEV_UNREGISTER, )
raw_notify(, NETDEV_UNREGISTER, )
if (ro->bound) // invalid because ro->bound has been set 0
raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
Add a net_device pointer member in struct raw_sock to record bound
can_dev, and use rtnl_lock to serialize raw_socket members between
raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
ro->dev to decide whether to free receivers in dev_rcv_lists.
Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-07-11 09:17:37 +08:00
|
|
|
if (ro->dev != dev)
|
2021-06-05 18:26:35 +08:00
|
|
|
return;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
switch (msg) {
|
|
|
|
case NETDEV_UNREGISTER:
|
|
|
|
lock_sock(sk);
|
|
|
|
/* remove current filters & unregister */
|
|
|
|
if (ro->bound)
|
2017-02-21 19:19:47 +08:00
|
|
|
raw_disable_allfilters(dev_net(dev), dev, sk);
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
if (ro->count > 1)
|
|
|
|
kfree(ro->filter);
|
|
|
|
|
|
|
|
ro->ifindex = 0;
|
2020-09-16 06:34:56 +08:00
|
|
|
ro->bound = 0;
|
can: raw: fix receiver memory leak
Got kmemleak errors with the following ltp can_filter testcase:
for ((i=1; i<=100; i++))
do
./can_filter &
sleep 0.1
done
==============================================================
[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
[<00000000fd468496>] do_syscall_64+0x33/0x40
[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
It's a bug in the concurrent scenario of unregister_netdevice_many()
and raw_release() as following:
cpu0 cpu1
unregister_netdevice_many(can_dev)
unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
net_set_todo(can_dev)
raw_release(can_socket)
dev = dev_get_by_index(, ro->ifindex); // dev == NULL
if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
raw_disable_allfilters(, dev, );
dev_put(dev);
}
...
ro->bound = 0;
...
call_netdevice_notifiers(NETDEV_UNREGISTER, )
raw_notify(, NETDEV_UNREGISTER, )
if (ro->bound) // invalid because ro->bound has been set 0
raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
Add a net_device pointer member in struct raw_sock to record bound
can_dev, and use rtnl_lock to serialize raw_socket members between
raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
ro->dev to decide whether to free receivers in dev_rcv_lists.
Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-07-11 09:17:37 +08:00
|
|
|
ro->dev = NULL;
|
2020-09-16 06:34:56 +08:00
|
|
|
ro->count = 0;
|
2007-11-17 07:53:09 +08:00
|
|
|
release_sock(sk);
|
|
|
|
|
|
|
|
sk->sk_err = ENODEV;
|
|
|
|
if (!sock_flag(sk, SOCK_DEAD))
|
2021-06-28 06:48:21 +08:00
|
|
|
sk_error_report(sk);
|
2007-11-17 07:53:09 +08:00
|
|
|
break;
|
|
|
|
|
|
|
|
case NETDEV_DOWN:
|
|
|
|
sk->sk_err = ENETDOWN;
|
|
|
|
if (!sock_flag(sk, SOCK_DEAD))
|
2021-06-28 06:48:21 +08:00
|
|
|
sk_error_report(sk);
|
2007-11-17 07:53:09 +08:00
|
|
|
break;
|
|
|
|
}
|
2021-06-05 18:26:35 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static int raw_notifier(struct notifier_block *nb, unsigned long msg,
|
|
|
|
void *ptr)
|
|
|
|
{
|
|
|
|
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
|
|
|
|
|
|
|
|
if (dev->type != ARPHRD_CAN)
|
|
|
|
return NOTIFY_DONE;
|
|
|
|
if (msg != NETDEV_UNREGISTER && msg != NETDEV_DOWN)
|
|
|
|
return NOTIFY_DONE;
|
|
|
|
if (unlikely(raw_busy_notifier)) /* Check for reentrant bug. */
|
|
|
|
return NOTIFY_DONE;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2021-06-05 18:26:35 +08:00
|
|
|
spin_lock(&raw_notifier_lock);
|
|
|
|
list_for_each_entry(raw_busy_notifier, &raw_notifier_list, notifier) {
|
|
|
|
spin_unlock(&raw_notifier_lock);
|
|
|
|
raw_notify(raw_busy_notifier, msg, dev);
|
|
|
|
spin_lock(&raw_notifier_lock);
|
|
|
|
}
|
|
|
|
raw_busy_notifier = NULL;
|
|
|
|
spin_unlock(&raw_notifier_lock);
|
2007-11-17 07:53:09 +08:00
|
|
|
return NOTIFY_DONE;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int raw_init(struct sock *sk)
|
|
|
|
{
|
|
|
|
struct raw_sock *ro = raw_sk(sk);
|
|
|
|
|
|
|
|
ro->bound = 0;
|
|
|
|
ro->ifindex = 0;
|
can: raw: fix receiver memory leak
Got kmemleak errors with the following ltp can_filter testcase:
for ((i=1; i<=100; i++))
do
./can_filter &
sleep 0.1
done
==============================================================
[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
[<00000000fd468496>] do_syscall_64+0x33/0x40
[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
It's a bug in the concurrent scenario of unregister_netdevice_many()
and raw_release() as following:
cpu0 cpu1
unregister_netdevice_many(can_dev)
unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
net_set_todo(can_dev)
raw_release(can_socket)
dev = dev_get_by_index(, ro->ifindex); // dev == NULL
if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
raw_disable_allfilters(, dev, );
dev_put(dev);
}
...
ro->bound = 0;
...
call_netdevice_notifiers(NETDEV_UNREGISTER, )
raw_notify(, NETDEV_UNREGISTER, )
if (ro->bound) // invalid because ro->bound has been set 0
raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
Add a net_device pointer member in struct raw_sock to record bound
can_dev, and use rtnl_lock to serialize raw_socket members between
raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
ro->dev to decide whether to free receivers in dev_rcv_lists.
Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-07-11 09:17:37 +08:00
|
|
|
ro->dev = NULL;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
/* set default filter to single entry dfilter */
|
|
|
|
ro->dfilter.can_id = 0;
|
|
|
|
ro->dfilter.can_mask = MASK_ALL;
|
|
|
|
ro->filter = &ro->dfilter;
|
|
|
|
ro->count = 1;
|
|
|
|
|
|
|
|
/* set default loopback behaviour */
|
|
|
|
ro->loopback = 1;
|
|
|
|
ro->recv_own_msgs = 0;
|
2012-06-14 02:41:31 +08:00
|
|
|
ro->fd_frames = 0;
|
2022-09-13 01:07:25 +08:00
|
|
|
ro->xl_frames = 0;
|
2015-04-01 13:50:29 +08:00
|
|
|
ro->join_filters = 0;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2015-04-01 13:50:28 +08:00
|
|
|
/* alloc_percpu provides zero'ed memory */
|
|
|
|
ro->uniq = alloc_percpu(struct uniqframe);
|
|
|
|
if (unlikely(!ro->uniq))
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
/* set notifier */
|
2021-06-05 18:26:35 +08:00
|
|
|
spin_lock(&raw_notifier_lock);
|
|
|
|
list_add_tail(&ro->notifier, &raw_notifier_list);
|
|
|
|
spin_unlock(&raw_notifier_lock);
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int raw_release(struct socket *sock)
|
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
2011-04-20 09:57:15 +08:00
|
|
|
struct raw_sock *ro;
|
|
|
|
|
|
|
|
if (!sk)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
ro = raw_sk(sk);
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2021-06-05 18:26:35 +08:00
|
|
|
spin_lock(&raw_notifier_lock);
|
|
|
|
while (raw_busy_notifier == ro) {
|
|
|
|
spin_unlock(&raw_notifier_lock);
|
|
|
|
schedule_timeout_uninterruptible(1);
|
|
|
|
spin_lock(&raw_notifier_lock);
|
|
|
|
}
|
|
|
|
list_del(&ro->notifier);
|
|
|
|
spin_unlock(&raw_notifier_lock);
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2023-07-20 19:44:38 +08:00
|
|
|
rtnl_lock();
|
2007-11-17 07:53:09 +08:00
|
|
|
lock_sock(sk);
|
|
|
|
|
|
|
|
/* remove current filters & unregister */
|
|
|
|
if (ro->bound) {
|
can: raw: fix receiver memory leak
Got kmemleak errors with the following ltp can_filter testcase:
for ((i=1; i<=100; i++))
do
./can_filter &
sleep 0.1
done
==============================================================
[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
[<00000000fd468496>] do_syscall_64+0x33/0x40
[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
It's a bug in the concurrent scenario of unregister_netdevice_many()
and raw_release() as following:
cpu0 cpu1
unregister_netdevice_many(can_dev)
unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
net_set_todo(can_dev)
raw_release(can_socket)
dev = dev_get_by_index(, ro->ifindex); // dev == NULL
if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
raw_disable_allfilters(, dev, );
dev_put(dev);
}
...
ro->bound = 0;
...
call_netdevice_notifiers(NETDEV_UNREGISTER, )
raw_notify(, NETDEV_UNREGISTER, )
if (ro->bound) // invalid because ro->bound has been set 0
raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
Add a net_device pointer member in struct raw_sock to record bound
can_dev, and use rtnl_lock to serialize raw_socket members between
raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
ro->dev to decide whether to free receivers in dev_rcv_lists.
Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-07-11 09:17:37 +08:00
|
|
|
if (ro->dev)
|
|
|
|
raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk);
|
|
|
|
else
|
2017-02-21 19:19:47 +08:00
|
|
|
raw_disable_allfilters(sock_net(sk), NULL, sk);
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
if (ro->count > 1)
|
|
|
|
kfree(ro->filter);
|
|
|
|
|
|
|
|
ro->ifindex = 0;
|
2020-09-16 06:34:56 +08:00
|
|
|
ro->bound = 0;
|
can: raw: fix receiver memory leak
Got kmemleak errors with the following ltp can_filter testcase:
for ((i=1; i<=100; i++))
do
./can_filter &
sleep 0.1
done
==============================================================
[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
[<00000000fd468496>] do_syscall_64+0x33/0x40
[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
It's a bug in the concurrent scenario of unregister_netdevice_many()
and raw_release() as following:
cpu0 cpu1
unregister_netdevice_many(can_dev)
unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
net_set_todo(can_dev)
raw_release(can_socket)
dev = dev_get_by_index(, ro->ifindex); // dev == NULL
if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
raw_disable_allfilters(, dev, );
dev_put(dev);
}
...
ro->bound = 0;
...
call_netdevice_notifiers(NETDEV_UNREGISTER, )
raw_notify(, NETDEV_UNREGISTER, )
if (ro->bound) // invalid because ro->bound has been set 0
raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
Add a net_device pointer member in struct raw_sock to record bound
can_dev, and use rtnl_lock to serialize raw_socket members between
raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
ro->dev to decide whether to free receivers in dev_rcv_lists.
Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-07-11 09:17:37 +08:00
|
|
|
ro->dev = NULL;
|
2020-09-16 06:34:56 +08:00
|
|
|
ro->count = 0;
|
2015-04-01 13:50:28 +08:00
|
|
|
free_percpu(ro->uniq);
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2009-07-15 07:10:21 +08:00
|
|
|
sock_orphan(sk);
|
|
|
|
sock->sk = NULL;
|
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
release_sock(sk);
|
2023-07-20 19:44:38 +08:00
|
|
|
rtnl_unlock();
|
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
sock_put(sk);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int raw_bind(struct socket *sock, struct sockaddr *uaddr, int len)
|
|
|
|
{
|
|
|
|
struct sockaddr_can *addr = (struct sockaddr_can *)uaddr;
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct raw_sock *ro = raw_sk(sk);
|
can: raw: fix receiver memory leak
Got kmemleak errors with the following ltp can_filter testcase:
for ((i=1; i<=100; i++))
do
./can_filter &
sleep 0.1
done
==============================================================
[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
[<00000000fd468496>] do_syscall_64+0x33/0x40
[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
It's a bug in the concurrent scenario of unregister_netdevice_many()
and raw_release() as following:
cpu0 cpu1
unregister_netdevice_many(can_dev)
unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
net_set_todo(can_dev)
raw_release(can_socket)
dev = dev_get_by_index(, ro->ifindex); // dev == NULL
if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
raw_disable_allfilters(, dev, );
dev_put(dev);
}
...
ro->bound = 0;
...
call_netdevice_notifiers(NETDEV_UNREGISTER, )
raw_notify(, NETDEV_UNREGISTER, )
if (ro->bound) // invalid because ro->bound has been set 0
raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
Add a net_device pointer member in struct raw_sock to record bound
can_dev, and use rtnl_lock to serialize raw_socket members between
raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
ro->dev to decide whether to free receivers in dev_rcv_lists.
Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-07-11 09:17:37 +08:00
|
|
|
struct net_device *dev = NULL;
|
2007-11-17 07:53:09 +08:00
|
|
|
int ifindex;
|
|
|
|
int err = 0;
|
|
|
|
int notify_enetdown = 0;
|
|
|
|
|
2021-03-25 20:58:48 +08:00
|
|
|
if (len < RAW_MIN_NAMELEN)
|
2007-11-17 07:53:09 +08:00
|
|
|
return -EINVAL;
|
2017-07-31 05:51:01 +08:00
|
|
|
if (addr->can_family != AF_CAN)
|
|
|
|
return -EINVAL;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
can: raw: fix receiver memory leak
Got kmemleak errors with the following ltp can_filter testcase:
for ((i=1; i<=100; i++))
do
./can_filter &
sleep 0.1
done
==============================================================
[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
[<00000000fd468496>] do_syscall_64+0x33/0x40
[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
It's a bug in the concurrent scenario of unregister_netdevice_many()
and raw_release() as following:
cpu0 cpu1
unregister_netdevice_many(can_dev)
unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
net_set_todo(can_dev)
raw_release(can_socket)
dev = dev_get_by_index(, ro->ifindex); // dev == NULL
if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
raw_disable_allfilters(, dev, );
dev_put(dev);
}
...
ro->bound = 0;
...
call_netdevice_notifiers(NETDEV_UNREGISTER, )
raw_notify(, NETDEV_UNREGISTER, )
if (ro->bound) // invalid because ro->bound has been set 0
raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
Add a net_device pointer member in struct raw_sock to record bound
can_dev, and use rtnl_lock to serialize raw_socket members between
raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
ro->dev to decide whether to free receivers in dev_rcv_lists.
Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-07-11 09:17:37 +08:00
|
|
|
rtnl_lock();
|
2007-11-17 07:53:09 +08:00
|
|
|
lock_sock(sk);
|
|
|
|
|
|
|
|
if (ro->bound && addr->can_ifindex == ro->ifindex)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
if (addr->can_ifindex) {
|
2017-02-21 19:19:47 +08:00
|
|
|
dev = dev_get_by_index(sock_net(sk), addr->can_ifindex);
|
2007-11-17 07:53:09 +08:00
|
|
|
if (!dev) {
|
|
|
|
err = -ENODEV;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if (dev->type != ARPHRD_CAN) {
|
|
|
|
dev_put(dev);
|
|
|
|
err = -ENODEV;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if (!(dev->flags & IFF_UP))
|
|
|
|
notify_enetdown = 1;
|
|
|
|
|
|
|
|
ifindex = dev->ifindex;
|
|
|
|
|
|
|
|
/* filters set by default/setsockopt */
|
2017-02-21 19:19:47 +08:00
|
|
|
err = raw_enable_allfilters(sock_net(sk), dev, sk);
|
2007-11-17 07:53:09 +08:00
|
|
|
dev_put(dev);
|
|
|
|
} else {
|
|
|
|
ifindex = 0;
|
|
|
|
|
|
|
|
/* filters set by default/setsockopt */
|
2017-02-21 19:19:47 +08:00
|
|
|
err = raw_enable_allfilters(sock_net(sk), NULL, sk);
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
if (!err) {
|
|
|
|
if (ro->bound) {
|
|
|
|
/* unregister old filters */
|
can: raw: fix receiver memory leak
Got kmemleak errors with the following ltp can_filter testcase:
for ((i=1; i<=100; i++))
do
./can_filter &
sleep 0.1
done
==============================================================
[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
[<00000000fd468496>] do_syscall_64+0x33/0x40
[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
It's a bug in the concurrent scenario of unregister_netdevice_many()
and raw_release() as following:
cpu0 cpu1
unregister_netdevice_many(can_dev)
unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
net_set_todo(can_dev)
raw_release(can_socket)
dev = dev_get_by_index(, ro->ifindex); // dev == NULL
if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
raw_disable_allfilters(, dev, );
dev_put(dev);
}
...
ro->bound = 0;
...
call_netdevice_notifiers(NETDEV_UNREGISTER, )
raw_notify(, NETDEV_UNREGISTER, )
if (ro->bound) // invalid because ro->bound has been set 0
raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
Add a net_device pointer member in struct raw_sock to record bound
can_dev, and use rtnl_lock to serialize raw_socket members between
raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
ro->dev to decide whether to free receivers in dev_rcv_lists.
Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-07-11 09:17:37 +08:00
|
|
|
if (ro->dev)
|
|
|
|
raw_disable_allfilters(dev_net(ro->dev),
|
|
|
|
ro->dev, sk);
|
|
|
|
else
|
2017-02-21 19:19:47 +08:00
|
|
|
raw_disable_allfilters(sock_net(sk), NULL, sk);
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
ro->ifindex = ifindex;
|
|
|
|
ro->bound = 1;
|
can: raw: fix receiver memory leak
Got kmemleak errors with the following ltp can_filter testcase:
for ((i=1; i<=100; i++))
do
./can_filter &
sleep 0.1
done
==============================================================
[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
[<00000000fd468496>] do_syscall_64+0x33/0x40
[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
It's a bug in the concurrent scenario of unregister_netdevice_many()
and raw_release() as following:
cpu0 cpu1
unregister_netdevice_many(can_dev)
unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
net_set_todo(can_dev)
raw_release(can_socket)
dev = dev_get_by_index(, ro->ifindex); // dev == NULL
if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
raw_disable_allfilters(, dev, );
dev_put(dev);
}
...
ro->bound = 0;
...
call_netdevice_notifiers(NETDEV_UNREGISTER, )
raw_notify(, NETDEV_UNREGISTER, )
if (ro->bound) // invalid because ro->bound has been set 0
raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
Add a net_device pointer member in struct raw_sock to record bound
can_dev, and use rtnl_lock to serialize raw_socket members between
raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
ro->dev to decide whether to free receivers in dev_rcv_lists.
Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-07-11 09:17:37 +08:00
|
|
|
ro->dev = dev;
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
out:
|
|
|
|
release_sock(sk);
|
can: raw: fix receiver memory leak
Got kmemleak errors with the following ltp can_filter testcase:
for ((i=1; i<=100; i++))
do
./can_filter &
sleep 0.1
done
==============================================================
[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
[<00000000fd468496>] do_syscall_64+0x33/0x40
[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
It's a bug in the concurrent scenario of unregister_netdevice_many()
and raw_release() as following:
cpu0 cpu1
unregister_netdevice_many(can_dev)
unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
net_set_todo(can_dev)
raw_release(can_socket)
dev = dev_get_by_index(, ro->ifindex); // dev == NULL
if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
raw_disable_allfilters(, dev, );
dev_put(dev);
}
...
ro->bound = 0;
...
call_netdevice_notifiers(NETDEV_UNREGISTER, )
raw_notify(, NETDEV_UNREGISTER, )
if (ro->bound) // invalid because ro->bound has been set 0
raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
Add a net_device pointer member in struct raw_sock to record bound
can_dev, and use rtnl_lock to serialize raw_socket members between
raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
ro->dev to decide whether to free receivers in dev_rcv_lists.
Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-07-11 09:17:37 +08:00
|
|
|
rtnl_unlock();
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
if (notify_enetdown) {
|
|
|
|
sk->sk_err = ENETDOWN;
|
|
|
|
if (!sock_flag(sk, SOCK_DEAD))
|
2021-06-28 06:48:21 +08:00
|
|
|
sk_error_report(sk);
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int raw_getname(struct socket *sock, struct sockaddr *uaddr,
|
2018-02-13 03:00:20 +08:00
|
|
|
int peer)
|
2007-11-17 07:53:09 +08:00
|
|
|
{
|
|
|
|
struct sockaddr_can *addr = (struct sockaddr_can *)uaddr;
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct raw_sock *ro = raw_sk(sk);
|
|
|
|
|
|
|
|
if (peer)
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
|
2021-03-25 20:58:48 +08:00
|
|
|
memset(addr, 0, RAW_MIN_NAMELEN);
|
2007-11-17 07:53:09 +08:00
|
|
|
addr->can_family = AF_CAN;
|
|
|
|
addr->can_ifindex = ro->ifindex;
|
|
|
|
|
2021-03-25 20:58:48 +08:00
|
|
|
return RAW_MIN_NAMELEN;
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static int raw_setsockopt(struct socket *sock, int level, int optname,
|
2020-07-23 14:09:07 +08:00
|
|
|
sockptr_t optval, unsigned int optlen)
|
2007-11-17 07:53:09 +08:00
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct raw_sock *ro = raw_sk(sk);
|
|
|
|
struct can_filter *filter = NULL; /* dyn. alloc'ed filters */
|
|
|
|
struct can_filter sfilter; /* single filter */
|
|
|
|
struct net_device *dev = NULL;
|
|
|
|
can_err_mask_t err_mask = 0;
|
2023-02-03 17:08:07 +08:00
|
|
|
int fd_frames;
|
2007-11-17 07:53:09 +08:00
|
|
|
int count = 0;
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
if (level != SOL_CAN_RAW)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
switch (optname) {
|
|
|
|
case CAN_RAW_FILTER:
|
|
|
|
if (optlen % sizeof(struct can_filter) != 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2016-12-05 18:44:23 +08:00
|
|
|
if (optlen > CAN_RAW_FILTER_MAX * sizeof(struct can_filter))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
count = optlen / sizeof(struct can_filter);
|
|
|
|
|
|
|
|
if (count > 1) {
|
|
|
|
/* filter does not fit into dfilter => alloc space */
|
2020-07-23 14:09:07 +08:00
|
|
|
filter = memdup_sockptr(optval, optlen);
|
2010-05-22 06:18:34 +08:00
|
|
|
if (IS_ERR(filter))
|
|
|
|
return PTR_ERR(filter);
|
2007-11-17 07:53:09 +08:00
|
|
|
} else if (count == 1) {
|
2020-07-23 14:09:07 +08:00
|
|
|
if (copy_from_sockptr(&sfilter, optval, sizeof(sfilter)))
|
2008-04-27 13:57:25 +08:00
|
|
|
return -EFAULT;
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
2021-07-22 15:08:19 +08:00
|
|
|
rtnl_lock();
|
2007-11-17 07:53:09 +08:00
|
|
|
lock_sock(sk);
|
|
|
|
|
can: raw: fix receiver memory leak
Got kmemleak errors with the following ltp can_filter testcase:
for ((i=1; i<=100; i++))
do
./can_filter &
sleep 0.1
done
==============================================================
[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
[<00000000fd468496>] do_syscall_64+0x33/0x40
[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
It's a bug in the concurrent scenario of unregister_netdevice_many()
and raw_release() as following:
cpu0 cpu1
unregister_netdevice_many(can_dev)
unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
net_set_todo(can_dev)
raw_release(can_socket)
dev = dev_get_by_index(, ro->ifindex); // dev == NULL
if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
raw_disable_allfilters(, dev, );
dev_put(dev);
}
...
ro->bound = 0;
...
call_netdevice_notifiers(NETDEV_UNREGISTER, )
raw_notify(, NETDEV_UNREGISTER, )
if (ro->bound) // invalid because ro->bound has been set 0
raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
Add a net_device pointer member in struct raw_sock to record bound
can_dev, and use rtnl_lock to serialize raw_socket members between
raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
ro->dev to decide whether to free receivers in dev_rcv_lists.
Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-07-11 09:17:37 +08:00
|
|
|
dev = ro->dev;
|
|
|
|
if (ro->bound && dev) {
|
|
|
|
if (dev->reg_state != NETREG_REGISTERED) {
|
2021-07-22 15:08:19 +08:00
|
|
|
if (count > 1)
|
|
|
|
kfree(filter);
|
|
|
|
err = -ENODEV;
|
|
|
|
goto out_fil;
|
|
|
|
}
|
|
|
|
}
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
if (ro->bound) {
|
|
|
|
/* (try to) register the new filters */
|
|
|
|
if (count == 1)
|
2017-02-21 19:19:47 +08:00
|
|
|
err = raw_enable_filters(sock_net(sk), dev, sk,
|
|
|
|
&sfilter, 1);
|
2007-11-17 07:53:09 +08:00
|
|
|
else
|
2017-02-21 19:19:47 +08:00
|
|
|
err = raw_enable_filters(sock_net(sk), dev, sk,
|
|
|
|
filter, count);
|
2007-11-17 07:53:09 +08:00
|
|
|
if (err) {
|
|
|
|
if (count > 1)
|
|
|
|
kfree(filter);
|
|
|
|
goto out_fil;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* remove old filter registrations */
|
2017-02-21 19:19:47 +08:00
|
|
|
raw_disable_filters(sock_net(sk), dev, sk, ro->filter,
|
|
|
|
ro->count);
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* remove old filter space */
|
|
|
|
if (ro->count > 1)
|
|
|
|
kfree(ro->filter);
|
|
|
|
|
|
|
|
/* link new filters to the socket */
|
|
|
|
if (count == 1) {
|
|
|
|
/* copy filter data for single filter */
|
|
|
|
ro->dfilter = sfilter;
|
|
|
|
filter = &ro->dfilter;
|
|
|
|
}
|
|
|
|
ro->filter = filter;
|
|
|
|
ro->count = count;
|
|
|
|
|
|
|
|
out_fil:
|
|
|
|
release_sock(sk);
|
2021-07-22 15:08:19 +08:00
|
|
|
rtnl_unlock();
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
case CAN_RAW_ERR_FILTER:
|
|
|
|
if (optlen != sizeof(err_mask))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2020-07-23 14:09:07 +08:00
|
|
|
if (copy_from_sockptr(&err_mask, optval, optlen))
|
2008-04-27 13:57:25 +08:00
|
|
|
return -EFAULT;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
err_mask &= CAN_ERR_MASK;
|
|
|
|
|
2021-07-22 15:08:19 +08:00
|
|
|
rtnl_lock();
|
2007-11-17 07:53:09 +08:00
|
|
|
lock_sock(sk);
|
|
|
|
|
can: raw: fix receiver memory leak
Got kmemleak errors with the following ltp can_filter testcase:
for ((i=1; i<=100; i++))
do
./can_filter &
sleep 0.1
done
==============================================================
[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
[<00000000fd468496>] do_syscall_64+0x33/0x40
[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
It's a bug in the concurrent scenario of unregister_netdevice_many()
and raw_release() as following:
cpu0 cpu1
unregister_netdevice_many(can_dev)
unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
net_set_todo(can_dev)
raw_release(can_socket)
dev = dev_get_by_index(, ro->ifindex); // dev == NULL
if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
raw_disable_allfilters(, dev, );
dev_put(dev);
}
...
ro->bound = 0;
...
call_netdevice_notifiers(NETDEV_UNREGISTER, )
raw_notify(, NETDEV_UNREGISTER, )
if (ro->bound) // invalid because ro->bound has been set 0
raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
Add a net_device pointer member in struct raw_sock to record bound
can_dev, and use rtnl_lock to serialize raw_socket members between
raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
ro->dev to decide whether to free receivers in dev_rcv_lists.
Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-07-11 09:17:37 +08:00
|
|
|
dev = ro->dev;
|
|
|
|
if (ro->bound && dev) {
|
|
|
|
if (dev->reg_state != NETREG_REGISTERED) {
|
2021-07-22 15:08:19 +08:00
|
|
|
err = -ENODEV;
|
|
|
|
goto out_err;
|
|
|
|
}
|
|
|
|
}
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
/* remove current error mask */
|
|
|
|
if (ro->bound) {
|
|
|
|
/* (try to) register the new err_mask */
|
2017-02-21 19:19:47 +08:00
|
|
|
err = raw_enable_errfilter(sock_net(sk), dev, sk,
|
|
|
|
err_mask);
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
if (err)
|
|
|
|
goto out_err;
|
|
|
|
|
|
|
|
/* remove old err_mask registration */
|
2017-02-21 19:19:47 +08:00
|
|
|
raw_disable_errfilter(sock_net(sk), dev, sk,
|
|
|
|
ro->err_mask);
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* link new err_mask to the socket */
|
|
|
|
ro->err_mask = err_mask;
|
|
|
|
|
|
|
|
out_err:
|
|
|
|
release_sock(sk);
|
2021-07-22 15:08:19 +08:00
|
|
|
rtnl_unlock();
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
case CAN_RAW_LOOPBACK:
|
|
|
|
if (optlen != sizeof(ro->loopback))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2020-07-23 14:09:07 +08:00
|
|
|
if (copy_from_sockptr(&ro->loopback, optval, optlen))
|
2008-04-27 13:57:25 +08:00
|
|
|
return -EFAULT;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
case CAN_RAW_RECV_OWN_MSGS:
|
|
|
|
if (optlen != sizeof(ro->recv_own_msgs))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2020-07-23 14:09:07 +08:00
|
|
|
if (copy_from_sockptr(&ro->recv_own_msgs, optval, optlen))
|
2008-04-27 13:57:25 +08:00
|
|
|
return -EFAULT;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
break;
|
|
|
|
|
2012-06-14 02:41:31 +08:00
|
|
|
case CAN_RAW_FD_FRAMES:
|
2023-02-03 17:08:07 +08:00
|
|
|
if (optlen != sizeof(fd_frames))
|
2012-06-14 02:41:31 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
2023-02-03 17:08:07 +08:00
|
|
|
if (copy_from_sockptr(&fd_frames, optval, optlen))
|
2012-06-14 02:41:31 +08:00
|
|
|
return -EFAULT;
|
|
|
|
|
2023-01-31 18:56:13 +08:00
|
|
|
/* Enabling CAN XL includes CAN FD */
|
2023-02-03 17:08:07 +08:00
|
|
|
if (ro->xl_frames && !fd_frames)
|
2023-01-31 18:56:13 +08:00
|
|
|
return -EINVAL;
|
2023-02-03 17:08:07 +08:00
|
|
|
|
|
|
|
ro->fd_frames = fd_frames;
|
2012-06-14 02:41:31 +08:00
|
|
|
break;
|
|
|
|
|
2022-09-13 01:07:25 +08:00
|
|
|
case CAN_RAW_XL_FRAMES:
|
|
|
|
if (optlen != sizeof(ro->xl_frames))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (copy_from_sockptr(&ro->xl_frames, optval, optlen))
|
|
|
|
return -EFAULT;
|
|
|
|
|
2023-01-31 18:56:13 +08:00
|
|
|
/* Enabling CAN XL includes CAN FD */
|
|
|
|
if (ro->xl_frames)
|
|
|
|
ro->fd_frames = ro->xl_frames;
|
2022-09-13 01:07:25 +08:00
|
|
|
break;
|
|
|
|
|
2015-04-01 13:50:29 +08:00
|
|
|
case CAN_RAW_JOIN_FILTERS:
|
|
|
|
if (optlen != sizeof(ro->join_filters))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2020-07-23 14:09:07 +08:00
|
|
|
if (copy_from_sockptr(&ro->join_filters, optval, optlen))
|
2015-04-01 13:50:29 +08:00
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
default:
|
|
|
|
return -ENOPROTOOPT;
|
|
|
|
}
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int raw_getsockopt(struct socket *sock, int level, int optname,
|
|
|
|
char __user *optval, int __user *optlen)
|
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct raw_sock *ro = raw_sk(sk);
|
|
|
|
int len;
|
|
|
|
void *val;
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
if (level != SOL_CAN_RAW)
|
|
|
|
return -EINVAL;
|
|
|
|
if (get_user(len, optlen))
|
|
|
|
return -EFAULT;
|
|
|
|
if (len < 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
switch (optname) {
|
|
|
|
case CAN_RAW_FILTER:
|
|
|
|
lock_sock(sk);
|
|
|
|
if (ro->count > 0) {
|
|
|
|
int fsize = ro->count * sizeof(struct can_filter);
|
2019-07-24 20:28:21 +08:00
|
|
|
|
2020-12-17 01:49:28 +08:00
|
|
|
/* user space buffer to small for filter list? */
|
|
|
|
if (len < fsize) {
|
|
|
|
/* return -ERANGE and needed space in optlen */
|
|
|
|
err = -ERANGE;
|
|
|
|
if (put_user(fsize, optlen))
|
|
|
|
err = -EFAULT;
|
|
|
|
} else {
|
|
|
|
if (len > fsize)
|
|
|
|
len = fsize;
|
|
|
|
if (copy_to_user(optval, ro->filter, len))
|
|
|
|
err = -EFAULT;
|
|
|
|
}
|
2019-08-13 15:03:55 +08:00
|
|
|
} else {
|
2007-11-17 07:53:09 +08:00
|
|
|
len = 0;
|
2019-08-13 15:03:55 +08:00
|
|
|
}
|
2007-11-17 07:53:09 +08:00
|
|
|
release_sock(sk);
|
|
|
|
|
|
|
|
if (!err)
|
|
|
|
err = put_user(len, optlen);
|
|
|
|
return err;
|
|
|
|
|
|
|
|
case CAN_RAW_ERR_FILTER:
|
|
|
|
if (len > sizeof(can_err_mask_t))
|
|
|
|
len = sizeof(can_err_mask_t);
|
|
|
|
val = &ro->err_mask;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case CAN_RAW_LOOPBACK:
|
|
|
|
if (len > sizeof(int))
|
|
|
|
len = sizeof(int);
|
|
|
|
val = &ro->loopback;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case CAN_RAW_RECV_OWN_MSGS:
|
|
|
|
if (len > sizeof(int))
|
|
|
|
len = sizeof(int);
|
|
|
|
val = &ro->recv_own_msgs;
|
|
|
|
break;
|
|
|
|
|
2012-06-14 02:41:31 +08:00
|
|
|
case CAN_RAW_FD_FRAMES:
|
|
|
|
if (len > sizeof(int))
|
|
|
|
len = sizeof(int);
|
|
|
|
val = &ro->fd_frames;
|
|
|
|
break;
|
|
|
|
|
2022-09-13 01:07:25 +08:00
|
|
|
case CAN_RAW_XL_FRAMES:
|
|
|
|
if (len > sizeof(int))
|
|
|
|
len = sizeof(int);
|
|
|
|
val = &ro->xl_frames;
|
|
|
|
break;
|
|
|
|
|
2015-04-01 13:50:29 +08:00
|
|
|
case CAN_RAW_JOIN_FILTERS:
|
|
|
|
if (len > sizeof(int))
|
|
|
|
len = sizeof(int);
|
|
|
|
val = &ro->join_filters;
|
|
|
|
break;
|
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
default:
|
|
|
|
return -ENOPROTOOPT;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (put_user(len, optlen))
|
|
|
|
return -EFAULT;
|
|
|
|
if (copy_to_user(optval, val, len))
|
|
|
|
return -EFAULT;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2023-01-31 18:56:13 +08:00
|
|
|
static bool raw_bad_txframe(struct raw_sock *ro, struct sk_buff *skb, int mtu)
|
|
|
|
{
|
|
|
|
/* Classical CAN -> no checks for flags and device capabilities */
|
|
|
|
if (can_is_can_skb(skb))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* CAN FD -> needs to be enabled and a CAN FD or CAN XL device */
|
|
|
|
if (ro->fd_frames && can_is_canfd_skb(skb) &&
|
|
|
|
(mtu == CANFD_MTU || can_is_canxl_dev_mtu(mtu)))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* CAN XL -> needs to be enabled and a CAN XL device */
|
|
|
|
if (ro->xl_frames && can_is_canxl_skb(skb) &&
|
|
|
|
can_is_canxl_dev_mtu(mtu))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2015-03-02 15:37:48 +08:00
|
|
|
static int raw_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
|
2007-11-17 07:53:09 +08:00
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct raw_sock *ro = raw_sk(sk);
|
2022-04-21 18:31:52 +08:00
|
|
|
struct sockcm_cookie sockc;
|
2007-11-17 07:53:09 +08:00
|
|
|
struct sk_buff *skb;
|
|
|
|
struct net_device *dev;
|
|
|
|
int ifindex;
|
2022-09-13 01:07:25 +08:00
|
|
|
int err = -EINVAL;
|
|
|
|
|
|
|
|
/* check for valid CAN frame sizes */
|
|
|
|
if (size < CANXL_HDR_SIZE + CANXL_MIN_DLEN || size > CANXL_MTU)
|
|
|
|
return -EINVAL;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
if (msg->msg_name) {
|
2014-01-18 05:53:15 +08:00
|
|
|
DECLARE_SOCKADDR(struct sockaddr_can *, addr, msg->msg_name);
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2021-03-25 20:58:48 +08:00
|
|
|
if (msg->msg_namelen < RAW_MIN_NAMELEN)
|
2011-01-16 12:56:42 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
if (addr->can_family != AF_CAN)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
ifindex = addr->can_ifindex;
|
2019-08-13 15:03:55 +08:00
|
|
|
} else {
|
2007-11-17 07:53:09 +08:00
|
|
|
ifindex = ro->ifindex;
|
2019-08-13 15:03:55 +08:00
|
|
|
}
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2018-10-24 16:27:12 +08:00
|
|
|
dev = dev_get_by_index(sock_net(sk), ifindex);
|
|
|
|
if (!dev)
|
|
|
|
return -ENXIO;
|
|
|
|
|
2013-01-18 01:43:39 +08:00
|
|
|
skb = sock_alloc_send_skb(sk, size + sizeof(struct can_skb_priv),
|
|
|
|
msg->msg_flags & MSG_DONTWAIT, &err);
|
2008-12-15 15:16:58 +08:00
|
|
|
if (!skb)
|
|
|
|
goto put_dev;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2013-01-28 16:33:33 +08:00
|
|
|
can_skb_reserve(skb);
|
|
|
|
can_skb_prv(skb)->ifindex = dev->ifindex;
|
2015-06-26 17:58:19 +08:00
|
|
|
can_skb_prv(skb)->skbcnt = 0;
|
2013-01-18 01:43:39 +08:00
|
|
|
|
2022-09-13 01:07:25 +08:00
|
|
|
/* fill the skb before testing for valid CAN frames */
|
2014-04-07 09:25:44 +08:00
|
|
|
err = memcpy_from_msg(skb_put(skb, size), msg, size);
|
2009-02-12 13:03:39 +08:00
|
|
|
if (err < 0)
|
|
|
|
goto free_skb;
|
2013-04-14 16:08:13 +08:00
|
|
|
|
2022-09-13 01:07:25 +08:00
|
|
|
err = -EINVAL;
|
2023-01-31 18:56:13 +08:00
|
|
|
if (raw_bad_txframe(ro, skb, dev->mtu))
|
|
|
|
goto free_skb;
|
2022-09-13 01:07:25 +08:00
|
|
|
|
2022-04-21 18:31:52 +08:00
|
|
|
sockcm_init(&sockc, sk);
|
|
|
|
if (msg->msg_controllen) {
|
|
|
|
err = sock_cmsg_send(sk, msg, &sockc);
|
|
|
|
if (unlikely(err))
|
|
|
|
goto free_skb;
|
|
|
|
}
|
2010-08-03 15:31:48 +08:00
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
skb->dev = dev;
|
2014-01-24 20:17:37 +08:00
|
|
|
skb->priority = sk->sk_priority;
|
2023-07-28 23:03:15 +08:00
|
|
|
skb->mark = READ_ONCE(sk->sk_mark);
|
2022-04-21 18:31:52 +08:00
|
|
|
skb->tstamp = sockc.transmit_time;
|
|
|
|
|
|
|
|
skb_setup_tx_timestamp(skb, sockc.tsflags);
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
err = can_send(skb, ro->loopback);
|
|
|
|
|
|
|
|
dev_put(dev);
|
|
|
|
|
|
|
|
if (err)
|
2008-12-15 15:16:58 +08:00
|
|
|
goto send_failed;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
return size;
|
2008-12-15 15:16:58 +08:00
|
|
|
|
|
|
|
free_skb:
|
|
|
|
kfree_skb(skb);
|
|
|
|
put_dev:
|
|
|
|
dev_put(dev);
|
|
|
|
send_failed:
|
|
|
|
return err;
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
2015-03-02 15:37:48 +08:00
|
|
|
static int raw_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
|
|
|
|
int flags)
|
2007-11-17 07:53:09 +08:00
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct sk_buff *skb;
|
2008-02-08 10:05:04 +08:00
|
|
|
int err = 0;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2020-09-27 00:24:31 +08:00
|
|
|
if (flags & MSG_ERRQUEUE)
|
|
|
|
return sock_recv_errqueue(sk, msg, size,
|
|
|
|
SOL_CAN_RAW, SCM_CAN_RAW_ERRQUEUE);
|
|
|
|
|
2022-04-05 00:30:22 +08:00
|
|
|
skb = skb_recv_datagram(sk, flags, &err);
|
2007-11-17 07:53:09 +08:00
|
|
|
if (!skb)
|
2008-02-08 10:05:04 +08:00
|
|
|
return err;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2014-03-01 22:31:53 +08:00
|
|
|
if (size < skb->len)
|
2007-11-17 07:53:09 +08:00
|
|
|
msg->msg_flags |= MSG_TRUNC;
|
|
|
|
else
|
2014-03-01 22:31:53 +08:00
|
|
|
size = skb->len;
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2014-04-07 09:51:23 +08:00
|
|
|
err = memcpy_to_msg(msg, skb->data, size);
|
2008-02-08 10:05:04 +08:00
|
|
|
if (err < 0) {
|
2007-11-17 07:53:09 +08:00
|
|
|
skb_free_datagram(sk, skb);
|
2008-02-08 10:05:04 +08:00
|
|
|
return err;
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
2022-04-28 04:02:37 +08:00
|
|
|
sock_recv_cmsgs(msg, sk, skb);
|
2007-11-17 07:53:09 +08:00
|
|
|
|
|
|
|
if (msg->msg_name) {
|
2021-03-25 20:58:48 +08:00
|
|
|
__sockaddr_check_size(RAW_MIN_NAMELEN);
|
|
|
|
msg->msg_namelen = RAW_MIN_NAMELEN;
|
2007-11-17 07:53:09 +08:00
|
|
|
memcpy(msg->msg_name, skb->cb, msg->msg_namelen);
|
|
|
|
}
|
|
|
|
|
2010-10-19 17:32:04 +08:00
|
|
|
/* assign the flags that have been recorded in raw_rcv() */
|
|
|
|
msg->msg_flags |= *(raw_flags(skb));
|
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
skb_free_datagram(sk, skb);
|
|
|
|
|
|
|
|
return size;
|
|
|
|
}
|
|
|
|
|
2019-08-12 21:49:04 +08:00
|
|
|
static int raw_sock_no_ioctlcmd(struct socket *sock, unsigned int cmd,
|
|
|
|
unsigned long arg)
|
2019-07-30 04:40:56 +08:00
|
|
|
{
|
|
|
|
/* no ioctls for socket layer -> hand it down to NIC layer */
|
|
|
|
return -ENOIOCTLCMD;
|
|
|
|
}
|
|
|
|
|
2011-03-22 16:27:25 +08:00
|
|
|
static const struct proto_ops raw_ops = {
|
2007-11-17 07:53:09 +08:00
|
|
|
.family = PF_CAN,
|
|
|
|
.release = raw_release,
|
|
|
|
.bind = raw_bind,
|
|
|
|
.connect = sock_no_connect,
|
|
|
|
.socketpair = sock_no_socketpair,
|
|
|
|
.accept = sock_no_accept,
|
|
|
|
.getname = raw_getname,
|
2018-06-29 00:43:44 +08:00
|
|
|
.poll = datagram_poll,
|
2019-07-30 04:40:56 +08:00
|
|
|
.ioctl = raw_sock_no_ioctlcmd,
|
2019-04-18 04:51:48 +08:00
|
|
|
.gettstamp = sock_gettstamp,
|
2007-11-17 07:53:09 +08:00
|
|
|
.listen = sock_no_listen,
|
|
|
|
.shutdown = sock_no_shutdown,
|
|
|
|
.setsockopt = raw_setsockopt,
|
|
|
|
.getsockopt = raw_getsockopt,
|
|
|
|
.sendmsg = raw_sendmsg,
|
|
|
|
.recvmsg = raw_recvmsg,
|
|
|
|
.mmap = sock_no_mmap,
|
|
|
|
};
|
|
|
|
|
|
|
|
static struct proto raw_proto __read_mostly = {
|
|
|
|
.name = "CAN_RAW",
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
.obj_size = sizeof(struct raw_sock),
|
|
|
|
.init = raw_init,
|
|
|
|
};
|
|
|
|
|
2011-05-04 02:40:57 +08:00
|
|
|
static const struct can_proto raw_can_proto = {
|
2007-11-17 07:53:09 +08:00
|
|
|
.type = SOCK_RAW,
|
|
|
|
.protocol = CAN_RAW,
|
|
|
|
.ops = &raw_ops,
|
|
|
|
.prot = &raw_proto,
|
|
|
|
};
|
|
|
|
|
2021-06-05 18:26:35 +08:00
|
|
|
static struct notifier_block canraw_notifier = {
|
|
|
|
.notifier_call = raw_notifier
|
|
|
|
};
|
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
static __init int raw_module_init(void)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
2020-10-12 15:43:54 +08:00
|
|
|
pr_info("can: raw protocol\n");
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2022-08-27 15:20:10 +08:00
|
|
|
err = register_netdevice_notifier(&canraw_notifier);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
2007-11-17 07:53:09 +08:00
|
|
|
err = can_proto_register(&raw_can_proto);
|
2022-08-27 15:20:10 +08:00
|
|
|
if (err < 0) {
|
2019-08-13 15:07:14 +08:00
|
|
|
pr_err("can: registration of raw protocol failed\n");
|
2022-08-27 15:20:10 +08:00
|
|
|
goto register_proto_failed;
|
|
|
|
}
|
2007-11-17 07:53:09 +08:00
|
|
|
|
2022-08-27 15:20:10 +08:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
register_proto_failed:
|
|
|
|
unregister_netdevice_notifier(&canraw_notifier);
|
2007-11-17 07:53:09 +08:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static __exit void raw_module_exit(void)
|
|
|
|
{
|
|
|
|
can_proto_unregister(&raw_can_proto);
|
2021-06-05 18:26:35 +08:00
|
|
|
unregister_netdevice_notifier(&canraw_notifier);
|
2007-11-17 07:53:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
module_init(raw_module_init);
|
|
|
|
module_exit(raw_module_exit);
|