From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 683311EF39E for ; Tue, 14 Jul 2026 11:57:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784030262; cv=none; b=AXl6+nKw7XwS0t6Zp8P+oUsRSqDS0+mJUtcG67ofSLRRBH312zTmm6yKRQuiFA27CV4x00Ui9Ara+Eg/KARo9/komuC3VyPcCNQaLJqZHK/mNU/cLDEXqxECqrMwWrdSL8m/3P/9RORJ3Mcl2xMr7RFWaMZ9y+bqXcs9cLadBwc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784030262; c=relaxed/simple; bh=foqJkoujsC1BpuBFlea3/6nPSRu3pa2esCGSPzvPpwE=; h=From:Subject:To:Cc:In-Reply-To:References:Content-Type:Date: Message-Id; b=iVAb+ORbIAtHXdDEBFsuaXdMd21I8AXKjWBcuoQ3yt93vNkgSoPTLlS+H20CXB2Cizqskw7x3d+zSUBOJiycy6RtU2aSErG7VpCHly5mwp6+oUIUIU/EgspYty8/CNqk2Ipwos9o2k2bFQA5X4weIB3bUqSupo9ABuJYog6Tz5I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=e5uSOp09; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="e5uSOp09" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A92C91F000E9; Tue, 14 Jul 2026 11:57:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1784030261; bh=2N/3fT55VW69rEEuAo2cAJBUNtIQ9X0BDGXp/aAqI98=; h=From:Subject:Reply-To:To:Cc:In-Reply-To:References:Date; b=e5uSOp09BXZ9GvwukII8Q+o0RR3O9gk+kTYu44HHI3DWTEx1CQLGal9A8+Lw2nxrR dRlpDLsRIEtOEdu4CCzd0u9uw+qWqQtiBGlLaQiYGMatdMONJamKW+bOuJGDImJulF 2kQb4iOsvdQeYxYg3OzpFMpOaJ3ooMuys8PJUCNJNyir3aGutSl/xXZYHWhy9lQely W2ZXjCmkVRuJRAZDEr1VbId6fPtR1FAQCOsj8wJsgYjTPeyYbbTLL5TCieJssaSJT5 YvU0ckz5LE5sMWQFH52bV32Fu+g89f51thcVqcUOqClUPUWm04q2oZr7L96GZlZo6D t7uxP5YgM9HWg== From: sashiko-bot@kernel.org Subject: Re: [PATCH v14 01/11] can: bcm: defer rx_op deallocation to workqueue to fix thrtimer UAF Reply-To: sashiko-reviews@lists.linux.dev To: "Oliver Hartkopp" Cc: "Oliver Hartkopp" , "Marc Kleine-Budde" , linux-can@vger.kernel.org, "Oleksij Rempel" , "Vincent Mailhol" In-Reply-To: <20260714-bcm_fixes-v14-1-867a4be60a61@hartkopp.net> References: <20260714-bcm_fixes-v14-0-867a4be60a61@hartkopp.net> <20260714-bcm_fixes-v14-1-867a4be60a61@hartkopp.net> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Date: Tue, 14 Jul 2026 11:57:40 +0000 Message-Id: <20260714115740.A92C91F000E9@smtp.kernel.org> Precedence: bulk X-Mailing-List: linux-can@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Thank you for your contribution! Sashiko AI review found 1 potential issue(= s) to consider: Pre-existing issues: - [High] The `/proc/net/can-bcm` read path contains data races when iterati= ng over `bo->rx_ops` and `bo->tx_ops`, leading to a potential kernel panic = (DoS). -- --- Patch [1]: [PATCH v14 01/11] can: bcm: defer rx_op deallocation to work= queue to fix thrtimer UAF --- commit f579f72c791d4b1c3e9b36c8937eb96317894b65 Author: Lee Jones can: bcm: defer rx_op deallocation to workqueue to fix thrtimer UAF This commit resolves a use-after-free in the CAN BCM module by deferring the timer cancellation and memory deallocation of bcm_op to a dedicated workqueue. It introduces flag checks and takes a reference on the socket to ensure it outlives the deferred work. > diff --git a/net/can/bcm.c b/net/can/bcm.c > index a4bef2c48a559..bdf53241bd7b3 100644 > --- a/net/can/bcm.c > +++ b/net/can/bcm.c [ ... ] > @@ -1060,6 +1081,7 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_he= ad, struct msghdr *msg, > =20 > /* bcm_can_tx / bcm_tx_timeout_handler needs this */ > op->sk =3D sk; > + sock_hold(sk); > op->ifindex =3D ifindex; > =20 > /* initialize uninitialized (kzalloc) structure */ [Severity: High] This isn't a bug introduced by this patch, but does the current code lack proper RCU publish semantics when inserting new BCM operations? While looking at bcm_tx_setup(), the new operation seems to be published using list_add(): list_add(&op->list, &bo->tx_ops); Similarly, bcm_rx_setup() appears to use list_add(): list_add(&op->list, &bo->rx_ops); If bcm_proc_show() iterates over these lists while holding only rcu_read_lock(), could this lead to uninitialized memory accesses or a kernel panic (DoS)? For example, bcm_proc_show() traverses tx_ops using a non-RCU iterator: list_for_each_entry(op, &bo->tx_ops, list) { Since list_add() lacks the smp_store_release() memory barrier provided by list_add_rcu(), and the traversal in bcm_proc_show() lacks READ_ONCE() and rcu_dereference() protections, could this expose the traversal to concurrent list mutations? An unprivileged user could potentially trigger this by continuously reading /proc/net/can-bcm/ while another thread repeatedly invokes sendmsg() with TX_SETUP/RX_SETUP and TX_DELETE/RX_DELETE opcodes to modify the lists. --=20 Sashiko AI review =C2=B7 https://sashiko.dev/#/patchset/20260714-bcm_fixes-= v14-0-867a4be60a61@hartkopp.net?part=3D1