diff options
| author | Jakub Kicinski <kuba@kernel.org> | 2026-04-12 19:24:15 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-04-12 19:24:16 +0300 |
| commit | 372169fd9519bc44ebd9addfc1cd6e4ce10c7c62 (patch) | |
| tree | 3f3ec15adcb01d27fd864523b5b3048788e43ee0 | |
| parent | 65782b2db7321d5f97c16718c4c7f6c7205a56be (diff) | |
| parent | a535a9217ca3f2fccedaafb2fddb4c48f27d36dc (diff) | |
| download | linux-372169fd9519bc44ebd9addfc1cd6e4ce10c7c62.tar.xz | |
Merge tag 'linux-can-fixes-for-7.0-20260409' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
Marc Kleine-Budde says:
====================
pull-request: can 2026-04-09
Johan Hovold's patch fixes the a devres lifetime in the ucan driver.
The last patch is by Samuel Page and fixes a use-after-free in
raw_rcv() in the CAN_RAW protocol.
* tag 'linux-can-fixes-for-7.0-20260409' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
can: raw: fix ro->uniq use-after-free in raw_rcv()
can: ucan: fix devres lifetime
====================
Link: https://patch.msgid.link/20260409165942.588421-1-mkl@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
| -rw-r--r-- | drivers/net/can/usb/ucan.c | 2 | ||||
| -rw-r--r-- | net/can/raw.c | 11 |
2 files changed, 11 insertions, 2 deletions
diff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c index 0ea0ac75e42f..ee3c1abbd063 100644 --- a/drivers/net/can/usb/ucan.c +++ b/drivers/net/can/usb/ucan.c @@ -1397,7 +1397,7 @@ static int ucan_probe(struct usb_interface *intf, */ /* Prepare Memory for control transfers */ - ctl_msg_buffer = devm_kzalloc(&udev->dev, + ctl_msg_buffer = devm_kzalloc(&intf->dev, sizeof(union ucan_ctl_payload), GFP_KERNEL); if (!ctl_msg_buffer) { diff --git a/net/can/raw.c b/net/can/raw.c index eee244ffc31e..58a96e933deb 100644 --- a/net/can/raw.c +++ b/net/can/raw.c @@ -361,6 +361,14 @@ static int raw_notifier(struct notifier_block *nb, unsigned long msg, return NOTIFY_DONE; } +static void raw_sock_destruct(struct sock *sk) +{ + struct raw_sock *ro = raw_sk(sk); + + free_percpu(ro->uniq); + can_sock_destruct(sk); +} + static int raw_init(struct sock *sk) { struct raw_sock *ro = raw_sk(sk); @@ -387,6 +395,8 @@ static int raw_init(struct sock *sk) if (unlikely(!ro->uniq)) return -ENOMEM; + sk->sk_destruct = raw_sock_destruct; + /* set notifier */ spin_lock(&raw_notifier_lock); list_add_tail(&ro->notifier, &raw_notifier_list); @@ -436,7 +446,6 @@ static int raw_release(struct socket *sock) ro->bound = 0; ro->dev = NULL; ro->count = 0; - free_percpu(ro->uniq); sock_orphan(sk); sock->sk = NULL; |