| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c57cdb0f-83c5-4550-91b9-61d068bd8264@I-love.SAKURA.ne.jp>
Date: Sat, 22 Nov 2025 22:03:40 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: Oleksij Rempel <o.rempel@...gutronix.de>
Cc: linux-can@...r.kernel.org, Network Development <netdev@...r.kernel.org>,
Marc Kleine-Budde <mkl@...gutronix.de>
Subject: Re: [can/j1939] unregister_netdevice: waiting for vcan0 to become
free. Usage count = 2
On 2025/11/22 16:00, Tetsuo Handa wrote:
> So, not only we need to make sure that all existing j1939_session are destroyed
> but also we need to make sure that no new j1939_session is created if underlying
> net_device is no longer in NETREG_REGISTERED state.
For your testing, here is a delay injection patch and a complete reproducer.
---------- delay injection patch start ----------
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
index fbf5c8001c9d..601a32397f72 100644
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1492,6 +1492,9 @@ static struct j1939_session *j1939_session_new(struct j1939_priv *priv,
struct j1939_session *session;
struct j1939_sk_buff_cb *skcb;
+ pr_info("%s() delay start\n", __func__);
+ mdelay(5000);
+ pr_info("%s() delay end\n", __func__);
session = kzalloc(sizeof(*session), gfp_any());
if (!session)
return NULL;
---------- delay injection patch end ----------
---------- j1939_example.c start ----------
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/can.h>
#include <linux/can/j1939.h>
#include <net/if.h>
#include <errno.h>
#define IF_NAME "vcan0"
#define SRC_ADDR 0x20 // SA
#define DST_ADDR 0x30 // DA
#define PGN_TX 0x12300 // Sender PGN
#define PGN_RX 0x12300 // Receiver PGN
static void sender_task(int sock_s);
static void receiver_task(int sock_r);
int main(int argc, char *argv[])
{
int sock_s, sock_r;
struct sockaddr_can addr_s, addr_r;
struct ifreq ifr;
// Create a new namespace.
if (unshare(CLONE_NEWNET)) {
perror("unshare failed");
return 1;
}
// Create vcan0 in that namespace.
system("/usr/sbin/ip link add dev vcan0 type vcan");
system("/usr/sbin/ip link set up vcan0");
sock_s = socket(PF_CAN, SOCK_DGRAM, CAN_J1939);
sock_r = socket(PF_CAN, SOCK_DGRAM, CAN_J1939);
if (sock_s < 0 || sock_r < 0) {
perror("socket creation failed");
return 1;
}
strcpy(ifr.ifr_name, IF_NAME);
if (ioctl(sock_s, SIOCGIFINDEX, &ifr) < 0) {
perror("ioctl SIOCGIFINDEX failed");
return 1;
}
addr_s.can_family = AF_CAN;
addr_s.can_ifindex = ifr.ifr_ifindex;
addr_s.can_addr.j1939.name = J1939_NO_NAME;
addr_s.can_addr.j1939.addr = SRC_ADDR;
addr_s.can_addr.j1939.pgn = J1939_NO_PGN;
// Delete vcan0 in that namespace while bind() on vcan0 is in progress.
if (fork() == 0) {
sleep(1);
system("/usr/sbin/ip link del dev vcan0 type vcan");
_exit(0);
}
// Delay is injected by the kernel side.
if (bind(sock_s, (struct sockaddr *)&addr_s, sizeof(addr_s)) < 0) {
perror("sender bind failed");
return 1;
}
addr_r.can_family = AF_CAN;
addr_r.can_ifindex = ifr.ifr_ifindex;
addr_r.can_addr.j1939.name = J1939_NO_NAME;
addr_r.can_addr.j1939.addr = DST_ADDR;
addr_r.can_addr.j1939.pgn = PGN_RX;
if (bind(sock_r, (struct sockaddr *)&addr_r, sizeof(addr_r)) < 0) {
perror("receiver bind failed");
return 1;
}
printf("J1939 sockets set up on %s\n", IF_NAME);
printf("Sender (SA 0x%02X) and Receiver (PGN 0x%05X) ready.\n", SRC_ADDR, PGN_RX);
sender_task(sock_s);
receiver_task(sock_r);
return 0;
}
static void sender_task(int sock_s) {
struct sockaddr_can addr_dest;
socklen_t len_dest = sizeof(addr_dest);
char data[] = "Hello J1939 Localhost!";
addr_dest.can_family = AF_CAN;
addr_dest.can_ifindex = 0;
addr_dest.can_addr.j1939.name = J1939_NO_NAME;
addr_dest.can_addr.j1939.addr = DST_ADDR;
addr_dest.can_addr.j1939.pgn = PGN_TX;
printf("Sending message: \"%s\" (Length: %lu)\n", data, (unsigned long)strlen(data) + 1);
if (sendto(sock_s, data, strlen(data) + 1, 0, (struct sockaddr *)&addr_dest, len_dest) < 0) {
perror("sendto failed");
} else {
printf("Message sent successfully.\n");
}
}
static void receiver_task(int sock_r) {
struct sockaddr_can addr_src;
socklen_t len_src = sizeof(addr_src);
char buffer[256];
ssize_t bytes_received;
printf("Waiting for messages...\n");
bytes_received = recvfrom(sock_r, buffer, sizeof(buffer) - 1, 0, (struct sockaddr *)&addr_src, &len_src);
if (bytes_received < 0) {
perror("recvfrom failed");
} else {
buffer[bytes_received] = '\0';
printf("Received %zd bytes from SA 0x%02X, PGN 0x%05X: \"%s\"\n",
bytes_received, addr_src.can_addr.j1939.addr, addr_src.can_addr.j1939.pgn, buffer);
}
}
---------- j1939_example.c end ----------
Powered by blists - more mailing lists