5.10-stable patches

added patches:
	can-isotp-stop-timeout-monitoring-when-no-first-frame-was-sent.patch

diff --git a/queue-5.10/can-isotp-stop-timeout-monitoring-when-no-first-frame-was-sent.patch b/queue-5.10/can-isotp-stop-timeout-monitoring-when-no-first-frame-was-sent.patch
new file mode 100644 (file)
index 0000000..8f18e1f
--- /dev/null
+++ b/queue-5.10/can-isotp-stop-timeout-monitoring-when-no-first-frame-was-sent.patch
@@ -0,0 +1,64 @@
+From d73497081710c876c3c61444445512989e102152 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Tue, 5 Apr 2022 19:51:12 +0200
+Subject: can: isotp: stop timeout monitoring when no first frame was sent
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit d73497081710c876c3c61444445512989e102152 upstream.
+
+The first attempt to fix a the 'impossible' WARN_ON_ONCE(1) in
+isotp_tx_timer_handler() focussed on the identical CAN IDs created by
+the syzbot reproducer and lead to upstream fix/commit 3ea566422cbd
+("can: isotp: sanitize CAN ID checks in isotp_bind()"). But this did
+not catch the root cause of the wrong tx.state in the tx_timer handler.
+
+In the isotp 'first frame' case a timeout monitoring needs to be started
+before the 'first frame' is send. But when this sending failed the timeout
+monitoring for this specific frame has to be disabled too.
+
+Otherwise the tx_timer is fired with the 'warn me' tx.state of ISOTP_IDLE.
+
+Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol")
+Link: https://lore.kernel.org/all/20220405175112.2682-1-socketcan@hartkopp.net
+Reported-by: syzbot+2339c27f5c66c652843e@syzkaller.appspotmail.com
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c |   10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -864,6 +864,7 @@ static int isotp_sendmsg(struct socket *
+       struct canfd_frame *cf;
+       int ae = (so->opt.flags & CAN_ISOTP_EXTEND_ADDR) ? 1 : 0;
+       int wait_tx_done = (so->opt.flags & CAN_ISOTP_WAIT_TX_DONE) ? 1 : 0;
++      s64 hrtimer_sec = 0;
+       int off;
+       int err;
+ 
+@@ -962,7 +963,9 @@ static int isotp_sendmsg(struct socket *
+               isotp_create_fframe(cf, so, ae);
+ 
+               /* start timeout for FC */
+-              hrtimer_start(&so->txtimer, ktime_set(1, 0), HRTIMER_MODE_REL_SOFT);
++              hrtimer_sec = 1;
++              hrtimer_start(&so->txtimer, ktime_set(hrtimer_sec, 0),
++                            HRTIMER_MODE_REL_SOFT);
+       }
+ 
+       /* send the first or only CAN frame */
+@@ -975,6 +978,11 @@ static int isotp_sendmsg(struct socket *
+       if (err) {
+               pr_notice_once("can-isotp: %s: can_send_ret %d\n",
+                              __func__, err);
++
++              /* no transmission -> no timeout monitoring */
++              if (hrtimer_sec)
++                      hrtimer_cancel(&so->txtimer);
++
+               goto err_out_drop;
+       }
+ 

diff --git a/queue-5.10/series b/queue-5.10/series
index 47742ec1060b295876459e503bc35eb82dbef1c5..43d2d819bbd6366d19b1bacbbfc8e9b59a6d8859 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -78,3 +78,4 @@ ext4-limit-length-to-bitmap_maxbytes-blocksize-in-punch_hole.patch
 ext4-doc-fix-incorrect-h_reserved-size.patch
 ext4-fix-overhead-calculation-to-account-for-the-reserved-gdt-blocks.patch
 ext4-force-overhead-calculation-if-the-s_overhead_cluster-makes-no-sense.patch
+can-isotp-stop-timeout-monitoring-when-no-first-frame-was-sent.patch