From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B670B3AD520; Sat, 30 May 2026 17:39:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780162756; cv=none; b=H1OJUn0zAqcPVTZeP6VBKIc8yY/9JCzUUBpF1dRnEYifVxhZf2PGi1Ax3ln7N8Zpyulj18M9UXYZKYgpiyNCuf/bN8OV69p7m6ZmypZIFAO3aEGpdavrg6zejVKSHoYX3rTjGfcd/NDoSwtW++wFpk6KKMEMTEhFErtHOr648oc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780162756; c=relaxed/simple; bh=rMxVNOwx2UO784ps1E3fD2Vq2c5lt6Lxtfx6bLgTyo4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=md9yb6EuECWZAZ4/GljBCAZetpdZ6ZSH39cRTQKFE159IxkrPW9x/q5y2MRJjnq23DsKQS+VvVZSIAsiFr5xbVwn3tC/+oOs/84soycCXv1zZTNJYqaM2pkvlqNcSgbyPHjGVV/jiKxS8lES5X7ILCofKA3qZhJCYKpaHfVAyag= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=p4jUbeFe; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="p4jUbeFe" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BD6811F00898; Sat, 30 May 2026 17:39:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1780162754; bh=dV2Y5j3Ow1aJdbVKyLSVrTdebk8wAvRq5dhN5g1XFFI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=p4jUbeFeKyCatQUSJcc1w1Bs9gkw/dPVMvXlweVuKMVXVAScHdOgAKJMq5z9f0Jzf VS2AafjvvcUvANRvH+2j7bLjHqz6QT9qZBupz3NV/GEWok8ksYhVqYtp+PWvi1sFC5 zVTIovXk0s9NHJatw4M3MRsmPpd6qHLFPzxPb/Do= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Samuel Page , Oliver Hartkopp , Marc Kleine-Budde Subject: [PATCH 5.15 053/776] can: raw: fix ro->uniq use-after-free in raw_rcv() Date: Sat, 30 May 2026 17:56:07 +0200 Message-ID: <20260530160241.682404166@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260530160240.228940103@linuxfoundation.org> References: <20260530160240.228940103@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Samuel Page commit a535a9217ca3f2fccedaafb2fddb4c48f27d36dc upstream. raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage. Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained. Fixes: 514ac99c64b2 ("can: fix multiple delivery of a single CAN frame for overlapping CAN filters") Cc: stable@vger.kernel.org # v4.1+ Assisted-by: Bynario AI Signed-off-by: Samuel Page Link: https://patch.msgid.link/26ec626d-cae7-4418-9782-7198864d070c@bynar.io Acked-by: Oliver Hartkopp [mkl: applied manually] Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman --- net/can/raw.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/net/can/raw.c +++ b/net/can/raw.c @@ -333,6 +333,14 @@ static int raw_notifier(struct notifier_ return NOTIFY_DONE; } +static void raw_sock_destruct(struct sock *sk) +{ + struct raw_sock *ro = raw_sk(sk); + + free_percpu(ro->uniq); + can_sock_destruct(sk); +} + static int raw_init(struct sock *sk) { struct raw_sock *ro = raw_sk(sk); @@ -358,6 +366,8 @@ static int raw_init(struct sock *sk) if (unlikely(!ro->uniq)) return -ENOMEM; + sk->sk_destruct = raw_sock_destruct; + /* set notifier */ spin_lock(&raw_notifier_lock); list_add_tail(&ro->notifier, &raw_notifier_list); @@ -405,7 +415,6 @@ static int raw_release(struct socket *so ro->bound = 0; ro->dev = NULL; ro->count = 0; - free_percpu(ro->uniq); sock_orphan(sk); sock->sk = NULL;