From nobody Mon Jun 15 06:29:58 2026 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC3173AD52A for ; Wed, 8 Apr 2026 14:30:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775658619; cv=none; b=XNP+X1VJbmlfXIeaEbMiiJhdNvgZoDbQ4VNx7hBonFuPMJ6toVMuSBLqxEG8vJdqtd0Op8E5bLIdg1Gut+uKdC9HmwJ7PQILIvNvYH7evYCG8OQU80GpfwHqGGYOXhWB8Vss3qBDmME4RSKJZKPkhCqp3h7Movddn0RGnxQwf1A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775658619; c=relaxed/simple; bh=Dst2DCgKMi9ug9DAPIQMYn4cHFxcuH3mfRheLIsl7gY=; h=Message-ID:Date:MIME-Version:To:Cc:From:Subject:Content-Type; b=tg/LQExwSlVaeUVrPrKVWm8DCoOCV6tdiH5piIrLdqPv5EEfFWSeHhfmFVDgLXHb6RK31JqA3ZmYZJaH1OyVr6uvMVaRonA4m+WMtFz4JKlhIsX8+pBFDzXkRvj15WkQdVvkvN0FShTaCspsvqGGqOJ6/H0Ntla+8Jh3gQ38SE0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bynar.io; spf=pass smtp.mailfrom=bynar.io; dkim=pass (2048-bit key) header.d=bynar.io header.i=@bynar.io header.b=mjeHsqKb; arc=none smtp.client-ip=209.85.128.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bynar.io Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bynar.io Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bynar.io header.i=@bynar.io header.b="mjeHsqKb" Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-488a4bc360bso24151945e9.0 for ; Wed, 08 Apr 2026 07:30:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bynar.io; s=google; t=1775658616; x=1776263416; darn=vger.kernel.org; h=content-transfer-encoding:subject:from:cc:to:content-language :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=kh5X8CvslI3qQg5feFgewpvEGHoeE9cEEW9PZC4zSTM=; b=mjeHsqKbdymy5MFtoqLGSd9ngD1vnwXZcxAwsPzBIs5VVdJC3M3SSC//cqc2Y9i0kI 7k6R3egyKSMvR/5PkSQJWNJePGs7uTci0qJXLsY74sxzF/fyPwB7u0GM7b/TT1NUHA2X 0GWYAhe9WIzNzMBhFRhxMnnJRIQba3QpjAg3fB52xFmbbEPg6YWv2TSPT6XG92ykSwMe sPuyex9IuTPciIPUysoZeplk+1L/jZjeX4Wm2aKPPqtdy+NrfrHwICk6uA5rwXXssy/M A9vj2xBh2HKJ/jXgZpHY6Yk0dxNJVYUihWW7h6kFIUG4Y2xeQiq7ngxkH23VdWOMqJEa 2soA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775658616; x=1776263416; h=content-transfer-encoding:subject:from:cc:to:content-language :user-agent:mime-version:date:message-id:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=kh5X8CvslI3qQg5feFgewpvEGHoeE9cEEW9PZC4zSTM=; b=K4n+4Wooagmnxm98RnSk1gsY/qp/OcTJRoCLGKMzAvo1DMWGc5G5rgh7E01AqCY3Jk 0f+BltjgcMroyE813DaYL4o0AJ83hrOjRuOj0yQKaHYFYZGUDlKDD687JFQLcDsxtCOR WOi8bjm1gEq0nqRo1rRZTf6vb2cMVhnxt1HDapWzcp72C0rGwRWglpvcaHZKg4A/pibB KHqH5Lkg4VhlgB9KeSEN51JR6+SbWiUhha25aMVzk65JnqKfN9jZI/rhdQDYrGrmagnv 5cCv8xWwnBWMrCNqwcs6qWt+7TQR9BrSeKpfL27YZXEaNSfaiu6WAHUd+wnVQ6seaIYZ dRrg== X-Forwarded-Encrypted: i=1; AJvYcCXTLgQjLfsmUmWUebMU1KHPAIXKCMlxoJSPIflyBWkK50yf73GJfOJJn8mCN/mngThcekQwCeVSrajcnls=@vger.kernel.org X-Gm-Message-State: AOJu0Yyq4S+UdZhU0CiJpz9geMC8IsJtvdfNPArKFSUwPo5SUFWkHgpS V5ehrnIkYpCh/iAiM8Un6SqAZX4hdynessQzeo5v/GLRjYspqK0dedFTgtnkmGAEgYgS X-Gm-Gg: AeBDieuCZOLlCH0M5DwpSQZbky5fy9T5BmofL7SmovOu72v655mtLAs0IRwLAmgtYMN LVBZpvryWFsCQHXHqhJbjGqpmTvaYQipMAfmgTUtnw/paNc/Yq/nsofm+/XmMzMY3lxY48Mdrse vOzHBdB66DHcnGnvU+iAuZydafKk0GkcdBYt4PdLZFLOdD96VErP78tz6AG/Pg4LO/r84vvp14B sa8r12yG1pxBInWDLGz/WVSuq0mnwlXv8/2jQgSIvyjMpmGiNd1Bsrv4r/IsnVNcEun2CUktboH V+QMjps/SJvzPzPo++kt0hTNRBVZaVij//1ZvfLQIpzGfjW/9tVgMnHYGcuqowkc2/HF8Q6nfSu Tcg4epzAxGMLSXmsuB9M0OzrGOAj9SnISKHL8ASjfd7+bDLjP3v8Vc0YDlnyxftUyA84qwtN0VG gu5bppeqYHnt61dIkRvikmSaI8ku1/im01KA+P8KkZWWgE6gcxVY8nGy01 X-Received: by 2002:a05:600c:6216:b0:488:b9c6:11ba with SMTP id 5b1f17b1804b1-488b9c6139amr109175725e9.28.1775658615754; Wed, 08 Apr 2026 07:30:15 -0700 (PDT) Received: from ?IPV6:2a06:61c2:d427:0:b321:1c7a:b072:326e? ([2a06:61c2:d427:0:b321:1c7a:b072:326e]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488c76c6205sm29691985e9.1.2026.04.08.07.30.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Apr 2026 07:30:14 -0700 (PDT) Message-ID: <26ec626d-cae7-4418-9782-7198864d070c@bynar.io> Date: Wed, 8 Apr 2026 15:30:13 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-GB To: netdev@vger.kernel.org Cc: socketcan@hartkopp.net, mkl@pengutronix.de, linux-kernel@vger.kernel.org, linux-can@vger.kernel.org From: Sam P Subject: [PATCH net] can: raw: fix ro->uniq use-after-free in raw_rcv() Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8"; format="flowed" raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage. Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained. Fixes: 514ac99c64b2 ("can: fix multiple delivery of a single CAN frame for = overlapping CAN filters") Cc: stable@vger.kernel.org # v4.1+ Assisted-by: Bynario AI Signed-off-by: Samuel Page Acked-by: Oliver Hartkopp --- net/can/raw.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/net/can/raw.c b/net/can/raw.c index eee244ffc31e..f042c4316890 100644 --- a/net/can/raw.c +++ b/net/can/raw.c @@ -361,6 +361,14 @@ static int raw_notifier(struct notifier_block *nb, uns= igned long msg, return NOTIFY_DONE; } =20 +static void raw_sock_destruct(struct sock *sk) +{ + struct raw_sock *ro =3D raw_sk(sk); + + free_percpu(ro->uniq); + can_sock_destruct(sk); +} + static int raw_init(struct sock *sk) { struct raw_sock *ro =3D raw_sk(sk); @@ -387,6 +395,8 @@ static int raw_init(struct sock *sk) if (unlikely(!ro->uniq)) return -ENOMEM; =20 + sk->sk_destruct =3D raw_sock_destruct; + /* set notifier */ spin_lock(&raw_notifier_lock); list_add_tail(&ro->notifier, &raw_notifier_list); @@ -436,7 +446,6 @@ static int raw_release(struct socket *sock) ro->bound =3D 0; ro->dev =3D NULL; ro->count =3D 0; - free_percpu(ro->uniq); =20 sock_orphan(sk); sock->sk =3D NULL; --=20 2.49.0