summaryrefslogtreecommitdiff
path: root/drivers/ide/ppc/git@git.tavy.me:linux.git
diff options
context:
space:
mode:
authorSamuel Page <sam@bynar.io>2026-04-08 15:30:13 +0100
committerMarc Kleine-Budde <mkl@pengutronix.de>2026-04-09 18:51:42 +0200
commita535a9217ca3f2fccedaafb2fddb4c48f27d36dc (patch)
treedb54e3f74d16e5de83f164fbc7fdff7b2d47ae87 /drivers/ide/ppc/git@git.tavy.me:linux.git
parentfed4626501c871890da287bec62a96e52da1af89 (diff)
can: raw: fix ro->uniq use-after-free in raw_rcv()
raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage. Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained. Fixes: 514ac99c64b2 ("can: fix multiple delivery of a single CAN frame for overlapping CAN filters") Cc: stable@vger.kernel.org # v4.1+ Assisted-by: Bynario AI Signed-off-by: Samuel Page <sam@bynar.io> Link: https://patch.msgid.link/26ec626d-cae7-4418-9782-7198864d070c@bynar.io Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> [mkl: applied manually] Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Diffstat (limited to 'drivers/ide/ppc/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-20 01:36:12 +0000