mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	 4e096a1886
			
		
	
	
		4e096a1886
		
	
	
	
	
		
			
			Since20dd3850bc("can: Speed up CAN frame receiption by using ml_priv") the CAN framework uses per device specific data in the AF_CAN protocol. For this purpose the struct net_device->ml_priv is used. Later the ml_priv usage in CAN was extended for other users, one of them being CAN_J1939. Later in the kernel ml_priv was converted to an union, used by other drivers. E.g. the tun driver started storing it's stats pointer. Since tun devices can claim to be a CAN device, CAN specific protocols will wrongly interpret this pointer, which will cause system crashes. Mostly this issue is visible in the CAN_J1939 stack. To fix this issue, we request a dedicated CAN pointer within the net_device struct. Reported-by: syzbot+5138c4dd15a0401bec7b@syzkaller.appspotmail.com Fixes:20dd3850bc("can: Speed up CAN frame receiption by using ml_priv") Fixes:ffd956eef6("can: introduce CAN midlayer private and allocate it automatically") Fixes:9d71dd0c70("can: add support of SAE J1939 protocol") Fixes:497a5757ce("tun: switch to net core provided statistics counters") Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de> Link: https://lore.kernel.org/r/20210223070127.4538-1-o.rempel@pengutronix.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
		
			
				
	
	
		
			471 lines
		
	
	
		
			11 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			471 lines
		
	
	
		
			11 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| // SPDX-License-Identifier: GPL-2.0-only
 | |
| /* Copyright (C) 2005 Marc Kleine-Budde, Pengutronix
 | |
|  * Copyright (C) 2006 Andrey Volkov, Varma Electronics
 | |
|  * Copyright (C) 2008-2009 Wolfgang Grandegger <wg@grandegger.com>
 | |
|  */
 | |
| 
 | |
| #include <linux/module.h>
 | |
| #include <linux/kernel.h>
 | |
| #include <linux/slab.h>
 | |
| #include <linux/netdevice.h>
 | |
| #include <linux/if_arp.h>
 | |
| #include <linux/workqueue.h>
 | |
| #include <linux/can.h>
 | |
| #include <linux/can/can-ml.h>
 | |
| #include <linux/can/dev.h>
 | |
| #include <linux/can/skb.h>
 | |
| #include <linux/can/led.h>
 | |
| #include <linux/of.h>
 | |
| 
 | |
| #define MOD_DESC "CAN device driver interface"
 | |
| 
 | |
| MODULE_DESCRIPTION(MOD_DESC);
 | |
| MODULE_LICENSE("GPL v2");
 | |
| MODULE_AUTHOR("Wolfgang Grandegger <wg@grandegger.com>");
 | |
| 
 | |
| static void can_update_state_error_stats(struct net_device *dev,
 | |
| 					 enum can_state new_state)
 | |
| {
 | |
| 	struct can_priv *priv = netdev_priv(dev);
 | |
| 
 | |
| 	if (new_state <= priv->state)
 | |
| 		return;
 | |
| 
 | |
| 	switch (new_state) {
 | |
| 	case CAN_STATE_ERROR_WARNING:
 | |
| 		priv->can_stats.error_warning++;
 | |
| 		break;
 | |
| 	case CAN_STATE_ERROR_PASSIVE:
 | |
| 		priv->can_stats.error_passive++;
 | |
| 		break;
 | |
| 	case CAN_STATE_BUS_OFF:
 | |
| 		priv->can_stats.bus_off++;
 | |
| 		break;
 | |
| 	default:
 | |
| 		break;
 | |
| 	}
 | |
| }
 | |
| 
 | |
| static int can_tx_state_to_frame(struct net_device *dev, enum can_state state)
 | |
| {
 | |
| 	switch (state) {
 | |
| 	case CAN_STATE_ERROR_ACTIVE:
 | |
| 		return CAN_ERR_CRTL_ACTIVE;
 | |
| 	case CAN_STATE_ERROR_WARNING:
 | |
| 		return CAN_ERR_CRTL_TX_WARNING;
 | |
| 	case CAN_STATE_ERROR_PASSIVE:
 | |
| 		return CAN_ERR_CRTL_TX_PASSIVE;
 | |
| 	default:
 | |
| 		return 0;
 | |
| 	}
 | |
| }
 | |
| 
 | |
| static int can_rx_state_to_frame(struct net_device *dev, enum can_state state)
 | |
| {
 | |
| 	switch (state) {
 | |
| 	case CAN_STATE_ERROR_ACTIVE:
 | |
| 		return CAN_ERR_CRTL_ACTIVE;
 | |
| 	case CAN_STATE_ERROR_WARNING:
 | |
| 		return CAN_ERR_CRTL_RX_WARNING;
 | |
| 	case CAN_STATE_ERROR_PASSIVE:
 | |
| 		return CAN_ERR_CRTL_RX_PASSIVE;
 | |
| 	default:
 | |
| 		return 0;
 | |
| 	}
 | |
| }
 | |
| 
 | |
| const char *can_get_state_str(const enum can_state state)
 | |
| {
 | |
| 	switch (state) {
 | |
| 	case CAN_STATE_ERROR_ACTIVE:
 | |
| 		return "Error Active";
 | |
| 	case CAN_STATE_ERROR_WARNING:
 | |
| 		return "Error Warning";
 | |
| 	case CAN_STATE_ERROR_PASSIVE:
 | |
| 		return "Error Passive";
 | |
| 	case CAN_STATE_BUS_OFF:
 | |
| 		return "Bus Off";
 | |
| 	case CAN_STATE_STOPPED:
 | |
| 		return "Stopped";
 | |
| 	case CAN_STATE_SLEEPING:
 | |
| 		return "Sleeping";
 | |
| 	default:
 | |
| 		return "<unknown>";
 | |
| 	}
 | |
| 
 | |
| 	return "<unknown>";
 | |
| }
 | |
| EXPORT_SYMBOL_GPL(can_get_state_str);
 | |
| 
 | |
| void can_change_state(struct net_device *dev, struct can_frame *cf,
 | |
| 		      enum can_state tx_state, enum can_state rx_state)
 | |
| {
 | |
| 	struct can_priv *priv = netdev_priv(dev);
 | |
| 	enum can_state new_state = max(tx_state, rx_state);
 | |
| 
 | |
| 	if (unlikely(new_state == priv->state)) {
 | |
| 		netdev_warn(dev, "%s: oops, state did not change", __func__);
 | |
| 		return;
 | |
| 	}
 | |
| 
 | |
| 	netdev_dbg(dev, "Controller changed from %s State (%d) into %s State (%d).\n",
 | |
| 		   can_get_state_str(priv->state), priv->state,
 | |
| 		   can_get_state_str(new_state), new_state);
 | |
| 
 | |
| 	can_update_state_error_stats(dev, new_state);
 | |
| 	priv->state = new_state;
 | |
| 
 | |
| 	if (!cf)
 | |
| 		return;
 | |
| 
 | |
| 	if (unlikely(new_state == CAN_STATE_BUS_OFF)) {
 | |
| 		cf->can_id |= CAN_ERR_BUSOFF;
 | |
| 		return;
 | |
| 	}
 | |
| 
 | |
| 	cf->can_id |= CAN_ERR_CRTL;
 | |
| 	cf->data[1] |= tx_state >= rx_state ?
 | |
| 		       can_tx_state_to_frame(dev, tx_state) : 0;
 | |
| 	cf->data[1] |= tx_state <= rx_state ?
 | |
| 		       can_rx_state_to_frame(dev, rx_state) : 0;
 | |
| }
 | |
| EXPORT_SYMBOL_GPL(can_change_state);
 | |
| 
 | |
| /* CAN device restart for bus-off recovery */
 | |
| static void can_restart(struct net_device *dev)
 | |
| {
 | |
| 	struct can_priv *priv = netdev_priv(dev);
 | |
| 	struct net_device_stats *stats = &dev->stats;
 | |
| 	struct sk_buff *skb;
 | |
| 	struct can_frame *cf;
 | |
| 	int err;
 | |
| 
 | |
| 	BUG_ON(netif_carrier_ok(dev));
 | |
| 
 | |
| 	/* No synchronization needed because the device is bus-off and
 | |
| 	 * no messages can come in or go out.
 | |
| 	 */
 | |
| 	can_flush_echo_skb(dev);
 | |
| 
 | |
| 	/* send restart message upstream */
 | |
| 	skb = alloc_can_err_skb(dev, &cf);
 | |
| 	if (!skb)
 | |
| 		goto restart;
 | |
| 
 | |
| 	cf->can_id |= CAN_ERR_RESTARTED;
 | |
| 
 | |
| 	stats->rx_packets++;
 | |
| 	stats->rx_bytes += cf->len;
 | |
| 
 | |
| 	netif_rx_ni(skb);
 | |
| 
 | |
| restart:
 | |
| 	netdev_dbg(dev, "restarted\n");
 | |
| 	priv->can_stats.restarts++;
 | |
| 
 | |
| 	/* Now restart the device */
 | |
| 	err = priv->do_set_mode(dev, CAN_MODE_START);
 | |
| 
 | |
| 	netif_carrier_on(dev);
 | |
| 	if (err)
 | |
| 		netdev_err(dev, "Error %d during restart", err);
 | |
| }
 | |
| 
 | |
| static void can_restart_work(struct work_struct *work)
 | |
| {
 | |
| 	struct delayed_work *dwork = to_delayed_work(work);
 | |
| 	struct can_priv *priv = container_of(dwork, struct can_priv,
 | |
| 					     restart_work);
 | |
| 
 | |
| 	can_restart(priv->dev);
 | |
| }
 | |
| 
 | |
| int can_restart_now(struct net_device *dev)
 | |
| {
 | |
| 	struct can_priv *priv = netdev_priv(dev);
 | |
| 
 | |
| 	/* A manual restart is only permitted if automatic restart is
 | |
| 	 * disabled and the device is in the bus-off state
 | |
| 	 */
 | |
| 	if (priv->restart_ms)
 | |
| 		return -EINVAL;
 | |
| 	if (priv->state != CAN_STATE_BUS_OFF)
 | |
| 		return -EBUSY;
 | |
| 
 | |
| 	cancel_delayed_work_sync(&priv->restart_work);
 | |
| 	can_restart(dev);
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| /* CAN bus-off
 | |
|  *
 | |
|  * This functions should be called when the device goes bus-off to
 | |
|  * tell the netif layer that no more packets can be sent or received.
 | |
|  * If enabled, a timer is started to trigger bus-off recovery.
 | |
|  */
 | |
| void can_bus_off(struct net_device *dev)
 | |
| {
 | |
| 	struct can_priv *priv = netdev_priv(dev);
 | |
| 
 | |
| 	if (priv->restart_ms)
 | |
| 		netdev_info(dev, "bus-off, scheduling restart in %d ms\n",
 | |
| 			    priv->restart_ms);
 | |
| 	else
 | |
| 		netdev_info(dev, "bus-off\n");
 | |
| 
 | |
| 	netif_carrier_off(dev);
 | |
| 
 | |
| 	if (priv->restart_ms)
 | |
| 		schedule_delayed_work(&priv->restart_work,
 | |
| 				      msecs_to_jiffies(priv->restart_ms));
 | |
| }
 | |
| EXPORT_SYMBOL_GPL(can_bus_off);
 | |
| 
 | |
| void can_setup(struct net_device *dev)
 | |
| {
 | |
| 	dev->type = ARPHRD_CAN;
 | |
| 	dev->mtu = CAN_MTU;
 | |
| 	dev->hard_header_len = 0;
 | |
| 	dev->addr_len = 0;
 | |
| 	dev->tx_queue_len = 10;
 | |
| 
 | |
| 	/* New-style flags. */
 | |
| 	dev->flags = IFF_NOARP;
 | |
| 	dev->features = NETIF_F_HW_CSUM;
 | |
| }
 | |
| 
 | |
| /* Allocate and setup space for the CAN network device */
 | |
| struct net_device *alloc_candev_mqs(int sizeof_priv, unsigned int echo_skb_max,
 | |
| 				    unsigned int txqs, unsigned int rxqs)
 | |
| {
 | |
| 	struct can_ml_priv *can_ml;
 | |
| 	struct net_device *dev;
 | |
| 	struct can_priv *priv;
 | |
| 	int size;
 | |
| 
 | |
| 	/* We put the driver's priv, the CAN mid layer priv and the
 | |
| 	 * echo skb into the netdevice's priv. The memory layout for
 | |
| 	 * the netdev_priv is like this:
 | |
| 	 *
 | |
| 	 * +-------------------------+
 | |
| 	 * | driver's priv           |
 | |
| 	 * +-------------------------+
 | |
| 	 * | struct can_ml_priv      |
 | |
| 	 * +-------------------------+
 | |
| 	 * | array of struct sk_buff |
 | |
| 	 * +-------------------------+
 | |
| 	 */
 | |
| 
 | |
| 	size = ALIGN(sizeof_priv, NETDEV_ALIGN) + sizeof(struct can_ml_priv);
 | |
| 
 | |
| 	if (echo_skb_max)
 | |
| 		size = ALIGN(size, sizeof(struct sk_buff *)) +
 | |
| 			echo_skb_max * sizeof(struct sk_buff *);
 | |
| 
 | |
| 	dev = alloc_netdev_mqs(size, "can%d", NET_NAME_UNKNOWN, can_setup,
 | |
| 			       txqs, rxqs);
 | |
| 	if (!dev)
 | |
| 		return NULL;
 | |
| 
 | |
| 	priv = netdev_priv(dev);
 | |
| 	priv->dev = dev;
 | |
| 
 | |
| 	can_ml = (void *)priv + ALIGN(sizeof_priv, NETDEV_ALIGN);
 | |
| 	can_set_ml_priv(dev, can_ml);
 | |
| 
 | |
| 	if (echo_skb_max) {
 | |
| 		priv->echo_skb_max = echo_skb_max;
 | |
| 		priv->echo_skb = (void *)priv +
 | |
| 			(size - echo_skb_max * sizeof(struct sk_buff *));
 | |
| 	}
 | |
| 
 | |
| 	priv->state = CAN_STATE_STOPPED;
 | |
| 
 | |
| 	INIT_DELAYED_WORK(&priv->restart_work, can_restart_work);
 | |
| 
 | |
| 	return dev;
 | |
| }
 | |
| EXPORT_SYMBOL_GPL(alloc_candev_mqs);
 | |
| 
 | |
| /* Free space of the CAN network device */
 | |
| void free_candev(struct net_device *dev)
 | |
| {
 | |
| 	free_netdev(dev);
 | |
| }
 | |
| EXPORT_SYMBOL_GPL(free_candev);
 | |
| 
 | |
| /* changing MTU and control mode for CAN/CANFD devices */
 | |
| int can_change_mtu(struct net_device *dev, int new_mtu)
 | |
| {
 | |
| 	struct can_priv *priv = netdev_priv(dev);
 | |
| 
 | |
| 	/* Do not allow changing the MTU while running */
 | |
| 	if (dev->flags & IFF_UP)
 | |
| 		return -EBUSY;
 | |
| 
 | |
| 	/* allow change of MTU according to the CANFD ability of the device */
 | |
| 	switch (new_mtu) {
 | |
| 	case CAN_MTU:
 | |
| 		/* 'CANFD-only' controllers can not switch to CAN_MTU */
 | |
| 		if (priv->ctrlmode_static & CAN_CTRLMODE_FD)
 | |
| 			return -EINVAL;
 | |
| 
 | |
| 		priv->ctrlmode &= ~CAN_CTRLMODE_FD;
 | |
| 		break;
 | |
| 
 | |
| 	case CANFD_MTU:
 | |
| 		/* check for potential CANFD ability */
 | |
| 		if (!(priv->ctrlmode_supported & CAN_CTRLMODE_FD) &&
 | |
| 		    !(priv->ctrlmode_static & CAN_CTRLMODE_FD))
 | |
| 			return -EINVAL;
 | |
| 
 | |
| 		priv->ctrlmode |= CAN_CTRLMODE_FD;
 | |
| 		break;
 | |
| 
 | |
| 	default:
 | |
| 		return -EINVAL;
 | |
| 	}
 | |
| 
 | |
| 	dev->mtu = new_mtu;
 | |
| 	return 0;
 | |
| }
 | |
| EXPORT_SYMBOL_GPL(can_change_mtu);
 | |
| 
 | |
| /* Common open function when the device gets opened.
 | |
|  *
 | |
|  * This function should be called in the open function of the device
 | |
|  * driver.
 | |
|  */
 | |
| int open_candev(struct net_device *dev)
 | |
| {
 | |
| 	struct can_priv *priv = netdev_priv(dev);
 | |
| 
 | |
| 	if (!priv->bittiming.bitrate) {
 | |
| 		netdev_err(dev, "bit-timing not yet defined\n");
 | |
| 		return -EINVAL;
 | |
| 	}
 | |
| 
 | |
| 	/* For CAN FD the data bitrate has to be >= the arbitration bitrate */
 | |
| 	if ((priv->ctrlmode & CAN_CTRLMODE_FD) &&
 | |
| 	    (!priv->data_bittiming.bitrate ||
 | |
| 	     priv->data_bittiming.bitrate < priv->bittiming.bitrate)) {
 | |
| 		netdev_err(dev, "incorrect/missing data bit-timing\n");
 | |
| 		return -EINVAL;
 | |
| 	}
 | |
| 
 | |
| 	/* Switch carrier on if device was stopped while in bus-off state */
 | |
| 	if (!netif_carrier_ok(dev))
 | |
| 		netif_carrier_on(dev);
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| EXPORT_SYMBOL_GPL(open_candev);
 | |
| 
 | |
| #ifdef CONFIG_OF
 | |
| /* Common function that can be used to understand the limitation of
 | |
|  * a transceiver when it provides no means to determine these limitations
 | |
|  * at runtime.
 | |
|  */
 | |
| void of_can_transceiver(struct net_device *dev)
 | |
| {
 | |
| 	struct device_node *dn;
 | |
| 	struct can_priv *priv = netdev_priv(dev);
 | |
| 	struct device_node *np = dev->dev.parent->of_node;
 | |
| 	int ret;
 | |
| 
 | |
| 	dn = of_get_child_by_name(np, "can-transceiver");
 | |
| 	if (!dn)
 | |
| 		return;
 | |
| 
 | |
| 	ret = of_property_read_u32(dn, "max-bitrate", &priv->bitrate_max);
 | |
| 	of_node_put(dn);
 | |
| 	if ((ret && ret != -EINVAL) || (!ret && !priv->bitrate_max))
 | |
| 		netdev_warn(dev, "Invalid value for transceiver max bitrate. Ignoring bitrate limit.\n");
 | |
| }
 | |
| EXPORT_SYMBOL_GPL(of_can_transceiver);
 | |
| #endif
 | |
| 
 | |
| /* Common close function for cleanup before the device gets closed.
 | |
|  *
 | |
|  * This function should be called in the close function of the device
 | |
|  * driver.
 | |
|  */
 | |
| void close_candev(struct net_device *dev)
 | |
| {
 | |
| 	struct can_priv *priv = netdev_priv(dev);
 | |
| 
 | |
| 	cancel_delayed_work_sync(&priv->restart_work);
 | |
| 	can_flush_echo_skb(dev);
 | |
| }
 | |
| EXPORT_SYMBOL_GPL(close_candev);
 | |
| 
 | |
| /* Register the CAN network device */
 | |
| int register_candev(struct net_device *dev)
 | |
| {
 | |
| 	struct can_priv *priv = netdev_priv(dev);
 | |
| 
 | |
| 	/* Ensure termination_const, termination_const_cnt and
 | |
| 	 * do_set_termination consistency. All must be either set or
 | |
| 	 * unset.
 | |
| 	 */
 | |
| 	if ((!priv->termination_const != !priv->termination_const_cnt) ||
 | |
| 	    (!priv->termination_const != !priv->do_set_termination))
 | |
| 		return -EINVAL;
 | |
| 
 | |
| 	if (!priv->bitrate_const != !priv->bitrate_const_cnt)
 | |
| 		return -EINVAL;
 | |
| 
 | |
| 	if (!priv->data_bitrate_const != !priv->data_bitrate_const_cnt)
 | |
| 		return -EINVAL;
 | |
| 
 | |
| 	dev->rtnl_link_ops = &can_link_ops;
 | |
| 	netif_carrier_off(dev);
 | |
| 
 | |
| 	return register_netdev(dev);
 | |
| }
 | |
| EXPORT_SYMBOL_GPL(register_candev);
 | |
| 
 | |
| /* Unregister the CAN network device */
 | |
| void unregister_candev(struct net_device *dev)
 | |
| {
 | |
| 	unregister_netdev(dev);
 | |
| }
 | |
| EXPORT_SYMBOL_GPL(unregister_candev);
 | |
| 
 | |
| /* Test if a network device is a candev based device
 | |
|  * and return the can_priv* if so.
 | |
|  */
 | |
| struct can_priv *safe_candev_priv(struct net_device *dev)
 | |
| {
 | |
| 	if (dev->type != ARPHRD_CAN || dev->rtnl_link_ops != &can_link_ops)
 | |
| 		return NULL;
 | |
| 
 | |
| 	return netdev_priv(dev);
 | |
| }
 | |
| EXPORT_SYMBOL_GPL(safe_candev_priv);
 | |
| 
 | |
| static __init int can_dev_init(void)
 | |
| {
 | |
| 	int err;
 | |
| 
 | |
| 	can_led_notifier_init();
 | |
| 
 | |
| 	err = can_netlink_register();
 | |
| 	if (!err)
 | |
| 		pr_info(MOD_DESC "\n");
 | |
| 
 | |
| 	return err;
 | |
| }
 | |
| module_init(can_dev_init);
 | |
| 
 | |
| static __exit void can_dev_exit(void)
 | |
| {
 | |
| 	can_netlink_unregister();
 | |
| 
 | |
| 	can_led_notifier_exit();
 | |
| }
 | |
| module_exit(can_dev_exit);
 | |
| 
 | |
| MODULE_ALIAS_RTNL_LINK("can");
 |