UBUNTU: SAUCE: can: j1939: delay release of j1939_priv after synchron…

…ize_rcu BugLink: https://bugs.launchpad.net/bugs/1932209 (UAF on CAN J1939 j1939_can_recv (LP: #1932209)) can_rx_register callbacks may be called concurrently to the call to can_rx_unregister. The callbacks and callback data, though, are protected by RCU. As those can_rx_register callbacks are called under RCU protection, so after calling can_rx_unregister, we may call synchronize_rcu in order to wait for any RCU read-side critical sections to finish. That is, RX handlers won't be called anymore for that data. So, we only free them, after we do that synchronize_rcu. In the case of j1939, we should not call synchronize_rcu while holding j1939_netdev_lock, so we defer j1939_priv_put to after we have unlocked it. Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Benjamin M Romer <benjamin.romer@canonical.com> Acked-by: Ian May <ian.may@canonical.com>
mariux64 · Jun 16, 2021 · d2ca776 · d2ca776
1 parent a9b1054
commit d2ca776
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c
@@ -192,8 +192,6 @@ static void j1939_can_rx_unregister(struct j1939_priv *priv)
 
 	can_rx_unregister(dev_net(ndev), ndev, J1939_CAN_ID, J1939_CAN_MASK,
 			  j1939_can_recv, priv);
-
-	j1939_priv_put(priv);
 }
 
 static void __j1939_rx_release(struct kref *kref)
@@ -206,6 +204,8 @@ static void __j1939_rx_release(struct kref *kref)
 	j1939_ecu_unmap_all(priv);
 	j1939_priv_set(priv->ndev, NULL);
 	spin_unlock(&j1939_netdev_lock);
+	synchronize_rcu();
+	j1939_priv_put(priv);
 }
 
 /* get pointer to priv without increasing ref counter */