When closing the isotp socket the potentially running hrtimers are
canceled before removing the subscription for CAN idendifiers via
can_rx_unregister().
This may lead to an unintended (re)start of a hrtimer in isotp_rcv_cf()
and isotp_rcv_fc() in the case that a CAN frame is received by
isotp_rcv() while the subscription removal is processed.
However, isotp_rcv() is called under RCU protection, so after calling
can_rx_unregister, we may call synchronize_rcu in order to wait for any
RCU read-side critical sections to finish. This prevents the reception
of CAN frames after hrtimer_cancel() and therefore the unintended
(re)start of the hrtimers.
Signed-off-by: Oliver Hartkopp <socketcan@xxxxxxxxxxxx>
---
net/can/isotp.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/can/isotp.c b/net/can/isotp.c
index be6183f8ca11..234cc4ad179a 100644
--- a/net/can/isotp.c
+++ b/net/can/isotp.c
@@ -1026,13 +1026,10 @@ static int isotp_release(struct socket *sock)
list_del(&so->notifier);
spin_unlock(&isotp_notifier_lock);
lock_sock(sk);
- hrtimer_cancel(&so->txtimer);
- hrtimer_cancel(&so->rxtimer);
-
/* remove current filters & unregister */
if (so->bound && (!(so->opt.flags & CAN_ISOTP_SF_BROADCAST))) {
if (so->ifindex) {
struct net_device *dev;
@@ -1040,14 +1037,18 @@ static int isotp_release(struct socket *sock)
if (dev) {
can_rx_unregister(net, dev, so->rxid,
SINGLE_MASK(so->rxid),
isotp_rcv, sk);
dev_put(dev);
+ synchronize_rcu();
}
}
}
+ hrtimer_cancel(&so->txtimer);
+ hrtimer_cancel(&so->rxtimer);
+
so->ifindex = 0;
so->bound = 0;
sock_orphan(sk);
sock->sk = NULL;
--
2.30.2
