lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 15 Nov 2021 09:11:59 +0100
From:   Johan Hovold <johan@...nel.org>
To:     Pavel Skripkin <paskripkin@...il.com>
Cc:     mailhol.vincent@...adoo.fr, wg@...ndegger.com, mkl@...gutronix.de,
        davem@...emloft.net, kuba@...nel.org, linux-can@...r.kernel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] can: etas_es58x: fix error handling

On Mon, Nov 15, 2021 at 10:51:24AM +0300, Pavel Skripkin wrote:
> When register_candev() fails there are 2 possible device states:
> NETREG_UNINITIALIZED and NETREG_UNREGISTERED. None of them are suitable
> for calling unregister_candev(), because of following checks in
> unregister_netdevice_many():
> 
> 	if (dev->reg_state == NETREG_UNINITIALIZED)
> 		WARN_ON(1);
> ...
> 	BUG_ON(dev->reg_state != NETREG_REGISTERED);
> 
> To avoid possible BUG_ON or WARN_ON let's free current netdev before
> returning from es58x_init_netdev() and leave others (registered)
> net devices for es58x_free_netdevs().
> 
> Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
> Signed-off-by: Pavel Skripkin <paskripkin@...il.com>
> ---
> 
> Changes in v2:
> 	- Fixed Fixes: tag
> 	- Moved es58x_dev->netdev[channel_idx] initialization at the end
> 	  of the function
> 
> ---
>  drivers/net/can/usb/etas_es58x/es58x_core.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c
> index 96a13c770e4a..b3af8f2e32ac 100644
> --- a/drivers/net/can/usb/etas_es58x/es58x_core.c
> +++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
> @@ -2091,19 +2091,22 @@ static int es58x_init_netdev(struct es58x_device *es58x_dev, int channel_idx)
>  		return -ENOMEM;
>  	}
>  	SET_NETDEV_DEV(netdev, dev);
> -	es58x_dev->netdev[channel_idx] = netdev;
>  	es58x_init_priv(es58x_dev, es58x_priv(netdev), channel_idx);
>  
>  	netdev->netdev_ops = &es58x_netdev_ops;
>  	netdev->flags |= IFF_ECHO;	/* We support local echo */
>  
>  	ret = register_candev(netdev);
> -	if (ret)
> +	if (ret) {
> +		free_candev(netdev);
>  		return ret;
> +	}
>  
>  	netdev_queue_set_dql_min_limit(netdev_get_tx_queue(netdev, 0),
>  				       es58x_dev->param->dql_min_limit);
>  
> +	es58x_dev->netdev[channel_idx] = netdev;
> +

Just a drive-by comment: 

Are you sure about this move of the netdev[channel_idx] initialisation?
What happens if the registered can device is opened before you
initialise the pointer? NULL-deref in es58x_send_msg()?

You generally want the driver data fully initialised before you register
the device so this looks broken.

And either way it is arguably an unrelated change that should go in a
separate patch explaining why it is needed and safe.

>  	return ret;
>  }

Johan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ