From d2ca776770a66d80ef0f4c1ceb067ff125a96784 Mon Sep 17 00:00:00 2001
From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Date: Fri, 11 Jun 2021 16:14:08 -0300
Subject: [PATCH] UBUNTU: SAUCE: can: j1939: delay release of j1939_priv after
 synchronize_rcu

BugLink: https://bugs.launchpad.net/bugs/1932209 (UAF on CAN J1939 j1939_can_recv (LP: #1932209))

can_rx_register callbacks may be called concurrently to the call to
can_rx_unregister. The callbacks and callback data, though, are protected
by RCU.

As those can_rx_register callbacks are called under RCU protection, so
after calling can_rx_unregister, we may call synchronize_rcu in order to
wait for any RCU read-side critical sections to finish. That is, RX
handlers won't be called anymore for that data. So, we only free them,
after we do that synchronize_rcu.

In the case of j1939, we should not call synchronize_rcu while holding
j1939_netdev_lock, so we defer j1939_priv_put to after we have unlocked it.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Benjamin M Romer <benjamin.romer@canonical.com>
Acked-by: Ian May <ian.may@canonical.com>
---
 net/can/j1939/main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c
index e52330f628c9f..f53df216d6965 100644
--- a/net/can/j1939/main.c
+++ b/net/can/j1939/main.c
@@ -192,8 +192,6 @@ static void j1939_can_rx_unregister(struct j1939_priv *priv)
 
 	can_rx_unregister(dev_net(ndev), ndev, J1939_CAN_ID, J1939_CAN_MASK,
 			  j1939_can_recv, priv);
-
-	j1939_priv_put(priv);
 }
 
 static void __j1939_rx_release(struct kref *kref)
@@ -206,6 +204,8 @@ static void __j1939_rx_release(struct kref *kref)
 	j1939_ecu_unmap_all(priv);
 	j1939_priv_set(priv->ndev, NULL);
 	spin_unlock(&j1939_netdev_lock);
+	synchronize_rcu();
+	j1939_priv_put(priv);
 }
 
 /* get pointer to priv without increasing ref counter */