Commit 5d560223 authored by Tetsuo Handa's avatar Tetsuo Handa Committed by Marc Kleine-Budde
Browse files

can: j1939: make j1939_session_activate() fail if device is no longer registered 



syzbot is still reporting

  unregister_netdevice: waiting for vcan0 to become free. Usage count = 2

even after commit 93a27b58 ("can: j1939: add missing calls in
NETDEV_UNREGISTER notification handler") was added. A debug printk() patch
found that j1939_session_activate() can succeed even after
j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER)
has completed.

Since j1939_cancel_active_session() is processed with the session list lock
held, checking ndev->reg_state in j1939_session_activate() with the session
list lock held can reliably close the race window.

Reported-by: default avatarsyzbot <syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84


Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/b9653191-d479-4c8b-8536-1326d028db5c@I-love.SAKURA.ne.jp


Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
parent 885bebac

net/can/j1939/transport.c

+2 −0
Original line number Diff line number Diff line
@@ -1567,6 +1567,8 @@ int j1939_session_activate(struct j1939_session *session) 
	if (active) {

		j1939_session_put(active);

		ret = -EAGAIN;

	} else if (priv->ndev->reg_state != NETREG_REGISTERED) {

		ret = -ENODEV;

	} else {

		WARN_ON_ONCE(session->state != J1939_SESSION_NEW);

		list_add_tail(&session->active_session_list_entry,