can: gw: synchronize rcu operations before removing gw job entry

commit fb8696ab14adadb2e3f6c17c18ed26b3ecd96691 upstream.

can_can_gw_rcv() is called under RCU protection, so after calling
can_rx_unregister(), we have to call synchronize_rcu in order to wait
for any RCU read-side critical sections to finish before removing the
kmem_cache entry with the referenced gw job entry.

Link: https://lore.kernel.org/r/20210618173645.2238-1-socketcan@hartkopp.net
Fixes: c1aabdf379bc ("can-gw: add netlink based CAN routing")
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/can/gw.c b/net/can/gw.c
index 5114b8f07fd4be8c2c34837f8b9dc6edc3e4e1c1..4db0b1819890df4cbe4927b852c6e9a55a7eaecd 100644 (file)
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -494,6 +494,7 @@ static int cgw_notifier(struct notifier_block *nb,
                        if (gwj->src.dev == dev || gwj->dst.dev == dev) {
                                hlist_del(&gwj->list);
                                cgw_unregister_filter(net, gwj);
+                               synchronize_rcu();
                                kmem_cache_free(cgw_cache, gwj);
                        }
                }
@@ -941,6 +942,7 @@ static void cgw_remove_all_jobs(struct net *net)
        hlist_for_each_entry_safe(gwj, nx, &net->can.cgw_list, list) {
                hlist_del(&gwj->list);
                cgw_unregister_filter(net, gwj);
+               synchronize_rcu();
                kmem_cache_free(cgw_cache, gwj);
        }
 }
@@ -1010,6 +1012,7 @@ static int cgw_remove_job(struct sk_buff *skb, struct nlmsghdr *nlh,
 
                hlist_del(&gwj->list);
                cgw_unregister_filter(net, gwj);
+               synchronize_rcu();
                kmem_cache_free(cgw_cache, gwj);
                err = 0;
                break;