From nobody Fri Jun 12 18:57:47 2026
Received: from smtp134-31.sina.com.cn (smtp134-31.sina.com.cn
 [180.149.134.31])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 01E183839B6
	for <linux-kernel@vger.kernel.org>; Wed, 13 May 2026 07:48:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=180.149.134.31
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778658501; cv=none;
 b=oLHKIEv/8wGSpf5gymmmx+zk0q4sI2GM9p5TipCsTR4hZ5OsfxPrRl82CakQSt7d/umGfaHw02DCmHDgIyIBYg/KPTGJ+W4JZwixh+q7VRaz+IoV0+d5B7qMm0oo5lHENyT9626vZPoPawhv/O82QitvQS43ST1iNwVoDcxHwsI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778658501; c=relaxed/simple;
	bh=cTZsfN76uapqxkSYX8K1QmRWON7vxCZjiy3TX0jboC4=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=HlgMwod2iL1YsPiuLNWY3IGLG6e7t1JjAcgoiJ+oc5ZtfFAh28zw0/hEFZEpuAGkiTu0Nudo81qJan/skNnZJwTeRY3jq5Nwoe56DcJof+VfhU6Y8ndfLqRUvOCOsZzii0r+/dO6uMuEVXfkxg+z/xhOgSDG/ib5gH3EYEdqZsM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=sina.cn;
 spf=pass smtp.mailfrom=sina.cn;
 dkim=pass (1024-bit key) header.d=sina.cn header.i=@sina.cn
 header.b=pQbV9P+w; arc=none smtp.client-ip=180.149.134.31
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=sina.cn
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=sina.cn
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=sina.cn header.i=@sina.cn
 header.b="pQbV9P+w"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sina.cn; s=201208;
 t=1778658495;
	bh=vU6BJAlA7pm2cjTSAaNXNjdtuhv5bbu4WvAbz1Ch1Lw=;
	h=From:Subject:Date:Message-Id;
	b=pQbV9P+wpT9TA27y7nE09Lc/XaLJg5gXCyjr1G97jplf3AXSM83nMsGwkVGpEfjDi
	 7fD3zZWAZHxJWq9T1HLFYCzvnt0q4NWVK9cinVHIr2+4Kr03fLoR+8fZlBKUztOsbL
	 XszanFa8ExRjW5cgLHlL9PewlspqUTV3M4wz/Ch0=
X-SMAIL-HELO: NTT-kernel-dev
Received: from unknown (HELO NTT-kernel-dev)([60.247.85.88])
	by sina.cn (10.185.250.21) with ESMTP
	id 6A042CAE000016B9; Wed, 13 May 2026 15:48:05 +0800 (CST)
X-Sender: jianqkang@sina.cn
X-Auth-ID: jianqkang@sina.cn
Authentication-Results: sina.cn;
	 spf=none smtp.mailfrom=jianqkang@sina.cn;
	 dkim=none header.i=none;
	 dmarc=none action=none header.from=jianqkang@sina.cn
X-SMAIL-MID: 6073283408170
X-SMAIL-UIID: 9BD9D8ED099B4880B846C673BCEF642B-20260513-154805-1
From: Jianqiang kang <jianqkang@sina.cn>
To: gregkh@linuxfoundation.org,
	stable@vger.kernel.org,
	sam@bynar.io
Cc: patches@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	socketcan@hartkopp.net,
	mkl@pengutronix.de,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	linux-can@vger.kernel.org,
	netdev@vger.kernel.org
Subject: [PATCH 5.15.y] can: raw: fix ro->uniq use-after-free in raw_rcv()
Date: Wed, 13 May 2026 15:47:58 +0800
Message-Id: <20260513074758.4102262-1-jianqkang@sina.cn>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Samuel Page <sam@bynar.io>

[ Upstream commit a535a9217ca3f2fccedaafb2fddb4c48f27d36dc ]

raw_release() unregisters raw CAN receive filters via can_rx_unregister(),
but receiver deletion is deferred with call_rcu(). This leaves a window
where raw_rcv() may still be running in an RCU read-side critical section
after raw_release() frees ro->uniq, leading to a use-after-free of the
percpu uniq storage.

Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific
socket destructor. can_rx_unregister() takes an extra reference to the
socket and only drops it from the RCU callback, so freeing uniq from
sk_destruct ensures the percpu area is not released until the relevant
callbacks have drained.

Fixes: 514ac99c64b2 ("can: fix multiple delivery of a single CAN frame for =
overlapping CAN filters")
Cc: stable@vger.kernel.org # v4.1+
Assisted-by: Bynario AI
Signed-off-by: Samuel Page <sam@bynar.io>
Link: https://patch.msgid.link/26ec626d-cae7-4418-9782-7198864d070c@bynar.io
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
[mkl: applied manually]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Jianqiang kang <jianqkang@sina.cn>
---
 net/can/raw.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/net/can/raw.c b/net/can/raw.c
index e32ffcd200f3..b489689ada33 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -333,6 +333,14 @@ static int raw_notifier(struct notifier_block *nb, uns=
igned long msg,
 	return NOTIFY_DONE;
 }
=20
+static void raw_sock_destruct(struct sock *sk)
+{
+	struct raw_sock *ro =3D raw_sk(sk);
+
+	free_percpu(ro->uniq);
+	can_sock_destruct(sk);
+}
+
 static int raw_init(struct sock *sk)
 {
 	struct raw_sock *ro =3D raw_sk(sk);
@@ -358,6 +366,8 @@ static int raw_init(struct sock *sk)
 	if (unlikely(!ro->uniq))
 		return -ENOMEM;
=20
+	sk->sk_destruct =3D raw_sock_destruct;
+
 	/* set notifier */
 	spin_lock(&raw_notifier_lock);
 	list_add_tail(&ro->notifier, &raw_notifier_list);
@@ -405,7 +415,6 @@ static int raw_release(struct socket *sock)
 	ro->bound =3D 0;
 	ro->dev =3D NULL;
 	ro->count =3D 0;
-	free_percpu(ro->uniq);
=20
 	sock_orphan(sk);
 	sock->sk =3D NULL;
--=20
2.34.1