On 19.06.2021 13:18:13, Thadeu Lima de Souza Cascardo wrote: > can_rx_register callbacks may be called concurrently to the call to > can_rx_unregister. The callbacks and callback data, though, are protected by > RCU and the struct sock reference count. > > So the callback data is really attached to the life of sk, meaning that it > should be released on sk_destruct. However, bcm_remove_op calls tasklet_kill, > and RCU callbacks may be called under RCU softirq, so that cannot be used on > kernels before the introduction of HRTIMER_MODE_SOFT. > > However, bcm_rx_handler is called under RCU protection, so after calling > can_rx_unregister, we may call synchronize_rcu in order to wait for any RCU > read-side critical sections to finish. That is, bcm_rx_handler won't be called > anymore for those ops. So, we only free them, after we do that synchronize_rcu. > > Reported-by: syzbot+0f7e7e5e2f4f40fa89c0@xxxxxxxxxxxxxxxxxxxxxxxxx > Reported-by: Norbert Slusarek <nslusarek@xxxxxxx> > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx> Added to linux-can/testing. Thanks, Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Attachment:
signature.asc
Description: PGP signature
