can: j1939: prevent deadlock by moving j1939_sk_errqueue()

olerem · marckleinebudde · commit d1366b283d94 · 2023-03-27T11:03:22.000+02:00
This commit addresses a deadlock situation that can occur in certain scenarios, such as when running data TP/ETP transfer and subscribing to the error queue while receiving a net down event. The deadlock involves locks in the following order: 3 j1939_session_list_lock -> active_session_list_lock j1939_session_activate ... j1939_sk_queue_activate_next -> sk_session_queue_lock ... j1939_xtp_rx_eoma_one 2 j1939_sk_queue_drop_all -> sk_session_queue_lock ... j1939_sk_netdev_event_netdown -> j1939_socks_lock j1939_netdev_notify 1 j1939_sk_errqueue -> j1939_socks_lock __j1939_session_cancel -> active_session_list_lock j1939_tp_rxtimer CPU0 CPU1 ---- ---- lock(&priv->active_session_list_lock); lock(&jsk->sk_session_queue_lock); lock(&priv->active_session_list_lock); lock(&priv->j1939_socks_lock); The solution implemented in this commit is to move the j1939_sk_errqueue() call out of the active_session_list_lock context, thus preventing the deadlock situation. Reported-by: syzbot+ee1cd780f69483a8616b@syzkaller.appspotmail.com Fixes: 5b9272e ("can: j1939: extend UAPI to notify about RX status") Co-developed-by: Hillf Danton <hdanton@sina.com> Signed-off-by: Hillf Danton <hdanton@sina.com> Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de> Link: https://lore.kernel.org/all/20230324130141.2132787-1-o.rempel@pengutronix.de Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
@@ -1124,8 +1124,6 @@ static void __j1939_session_cancel(struct j1939_session *session,
 
 	if (session->sk)
 		j1939_sk_send_loop_abort(session->sk, session->err);
-	else
-		j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);
 }
 
 static void j1939_session_cancel(struct j1939_session *session,
@@ -1140,6 +1138,9 @@ static void j1939_session_cancel(struct j1939_session *session,
 	}
 
 	j1939_session_list_unlock(session->priv);
+
+	if (!session->sk)
+		j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);
 }
 
 static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer)
@@ -1253,6 +1254,9 @@ static enum hrtimer_restart j1939_tp_rxtimer(struct hrtimer *hrtimer)
 			__j1939_session_cancel(session, J1939_XTP_ABORT_TIMEOUT);
 		}
 		j1939_session_list_unlock(session->priv);
+
+		if (!session->sk)
+			j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);
 	}
 
 	j1939_session_put(session);

Original file line number	Diff line number	Diff line change
`@@ -1124,8 +1124,6 @@ static void __j1939_session_cancel(struct j1939_session *session,`
`1124`	`1124`
`1125`	`1125`	`if (session->sk)`
`1126`	`1126`	`j1939_sk_send_loop_abort(session->sk, session->err);`
`1127`		`- else`
`1128`		`- j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);`
`1129`	`1127`	`}`
`1130`	`1128`
`1131`	`1129`	`static void j1939_session_cancel(struct j1939_session *session,`
`@@ -1140,6 +1138,9 @@ static void j1939_session_cancel(struct j1939_session *session,`
`1140`	`1138`	`}`
`1141`	`1139`
`1142`	`1140`	`j1939_session_list_unlock(session->priv);`
	`1141`	`+`
	`1142`	`+ if (!session->sk)`
	`1143`	`+ j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);`
`1143`	`1144`	`}`
`1144`	`1145`
`1145`	`1146`	`static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer)`
`@@ -1253,6 +1254,9 @@ static enum hrtimer_restart j1939_tp_rxtimer(struct hrtimer *hrtimer)`
`1253`	`1254`	`__j1939_session_cancel(session, J1939_XTP_ABORT_TIMEOUT);`
`1254`	`1255`	`}`
`1255`	`1256`	`j1939_session_list_unlock(session->priv);`
	`1257`	`+`
	`1258`	`+ if (!session->sk)`
	`1259`	`+ j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);`
`1256`	`1260`	`}`
`1257`	`1261`
`1258`	`1262`	`j1939_session_put(session);`