| From dac5e6249159ac255dad9781793dbe5908ac9ddb Mon Sep 17 00:00:00 2001 |
| From: Oliver Hartkopp <socketcan@hartkopp.net> |
| Date: Mon, 19 May 2025 14:50:27 +0200 |
| Subject: can: bcm: add missing rcu read protection for procfs content |
| |
| From: Oliver Hartkopp <socketcan@hartkopp.net> |
| |
| commit dac5e6249159ac255dad9781793dbe5908ac9ddb upstream. |
| |
| When the procfs content is generated for a bcm_op which is in the process |
| to be removed the procfs output might show unreliable data (UAF). |
| |
| As the removal of bcm_op's is already implemented with rcu handling this |
| patch adds the missing rcu_read_lock() and makes sure the list entries |
| are properly removed under rcu protection. |
| |
| Fixes: f1b4e32aca08 ("can: bcm: use call_rcu() instead of costly synchronize_rcu()") |
| Reported-by: Anderson Nascimento <anderson@allelesecurity.com> |
| Suggested-by: Anderson Nascimento <anderson@allelesecurity.com> |
| Tested-by: Anderson Nascimento <anderson@allelesecurity.com> |
| Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net> |
| Link: https://patch.msgid.link/20250519125027.11900-2-socketcan@hartkopp.net |
| Cc: stable@vger.kernel.org # >= 5.4 |
| Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/can/bcm.c | 13 +++++++++---- |
| 1 file changed, 9 insertions(+), 4 deletions(-) |
| |
| --- a/net/can/bcm.c |
| +++ b/net/can/bcm.c |
| @@ -219,7 +219,9 @@ static int bcm_proc_show(struct seq_file |
| seq_printf(m, " / bound %s", bcm_proc_getifname(net, ifname, bo->ifindex)); |
| seq_printf(m, " <<<\n"); |
| |
| - list_for_each_entry(op, &bo->rx_ops, list) { |
| + rcu_read_lock(); |
| + |
| + list_for_each_entry_rcu(op, &bo->rx_ops, list) { |
| |
| unsigned long reduction; |
| |
| @@ -275,6 +277,9 @@ static int bcm_proc_show(struct seq_file |
| seq_printf(m, "# sent %ld\n", op->frames_abs); |
| } |
| seq_putc(m, '\n'); |
| + |
| + rcu_read_unlock(); |
| + |
| return 0; |
| } |
| #endif /* CONFIG_PROC_FS */ |
| @@ -858,7 +863,7 @@ static int bcm_delete_rx_op(struct list_ |
| REGMASK(op->can_id), |
| bcm_rx_handler, op); |
| |
| - list_del(&op->list); |
| + list_del_rcu(&op->list); |
| bcm_remove_op(op); |
| return 1; /* done */ |
| } |
| @@ -878,7 +883,7 @@ static int bcm_delete_tx_op(struct list_ |
| list_for_each_entry_safe(op, n, ops, list) { |
| if ((op->can_id == mh->can_id) && (op->ifindex == ifindex) && |
| (op->flags & CAN_FD_FRAME) == (mh->flags & CAN_FD_FRAME)) { |
| - list_del(&op->list); |
| + list_del_rcu(&op->list); |
| bcm_remove_op(op); |
| return 1; /* done */ |
| } |
| @@ -1300,7 +1305,7 @@ static int bcm_rx_setup(struct bcm_msg_h |
| bcm_rx_handler, op, "bcm", sk); |
| if (err) { |
| /* this bcm rx op is broken -> remove it */ |
| - list_del(&op->list); |
| + list_del_rcu(&op->list); |
| bcm_remove_op(op); |
| return err; |
| } |