This is a note to let you know that I've just added the patch titled
can: j1939: prevent deadlock by moving j1939_sk_errqueue()
to the 6.2-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
can-j1939-prevent-deadlock-by-moving-j1939_sk_errqueue.patch
and it can be found in the queue-6.2 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From d1366b283d94ac4537a4b3a1e8668da4df7ce7e9 Mon Sep 17 00:00:00 2001
From: Oleksij Rempel <o.rempel@xxxxxxxxxxxxxx>
Date: Fri, 24 Mar 2023 14:01:41 +0100
Subject: can: j1939: prevent deadlock by moving j1939_sk_errqueue()
From: Oleksij Rempel <o.rempel@xxxxxxxxxxxxxx>
commit d1366b283d94ac4537a4b3a1e8668da4df7ce7e9 upstream.
This commit addresses a deadlock situation that can occur in certain
scenarios, such as when running data TP/ETP transfer and subscribing to
the error queue while receiving a net down event. The deadlock involves
locks in the following order:
3
j1939_session_list_lock -> active_session_list_lock
j1939_session_activate
...
j1939_sk_queue_activate_next -> sk_session_queue_lock
...
j1939_xtp_rx_eoma_one
2
j1939_sk_queue_drop_all -> sk_session_queue_lock
...
j1939_sk_netdev_event_netdown -> j1939_socks_lock
j1939_netdev_notify
1
j1939_sk_errqueue -> j1939_socks_lock
__j1939_session_cancel -> active_session_list_lock
j1939_tp_rxtimer
CPU0 CPU1
---- ----
lock(&priv->active_session_list_lock);
lock(&jsk->sk_session_queue_lock);
lock(&priv->active_session_list_lock);
lock(&priv->j1939_socks_lock);
The solution implemented in this commit is to move the
j1939_sk_errqueue() call out of the active_session_list_lock context,
thus preventing the deadlock situation.
Reported-by: syzbot+ee1cd780f69483a8616b@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 5b9272e93f2e ("can: j1939: extend UAPI to notify about RX status")
Co-developed-by: Hillf Danton <hdanton@xxxxxxxx>
Signed-off-by: Hillf Danton <hdanton@xxxxxxxx>
Signed-off-by: Oleksij Rempel <o.rempel@xxxxxxxxxxxxxx>
Link: https://lore.kernel.org/all/20230324130141.2132787-1-o.rempel@xxxxxxxxxxxxxx
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/can/j1939/transport.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1124,8 +1124,6 @@ static void __j1939_session_cancel(struc
if (session->sk)
j1939_sk_send_loop_abort(session->sk, session->err);
- else
- j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);
}
static void j1939_session_cancel(struct j1939_session *session,
@@ -1140,6 +1138,9 @@ static void j1939_session_cancel(struct
}
j1939_session_list_unlock(session->priv);
+
+ if (!session->sk)
+ j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);
}
static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer)
@@ -1253,6 +1254,9 @@ static enum hrtimer_restart j1939_tp_rxt
__j1939_session_cancel(session, J1939_XTP_ABORT_TIMEOUT);
}
j1939_session_list_unlock(session->priv);
+
+ if (!session->sk)
+ j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT);
}
j1939_session_put(session);
Patches currently in stable-queue which might be from o.rempel@xxxxxxxxxxxxxx are
queue-6.2/net-dsa-microchip-ksz8-fix-ksz8_fdb_dump.patch
queue-6.2/net-dsa-microchip-ksz8-fix-ksz8_fdb_dump-to-extract-.patch
queue-6.2/can-j1939-prevent-deadlock-by-moving-j1939_sk_errqueue.patch
queue-6.2/net-dsa-microchip-ksz8863_smi-fix-bulk-access.patch
queue-6.2/net-dsa-microchip-ksz8-fix-mdb-configuration-with-no.patch
queue-6.2/net-dsa-microchip-ksz8-ksz8_fdb_dump-avoid-extractin.patch
queue-6.2/net-dsa-microchip-ksz8-fix-offset-for-the-timestamp-.patch
