net/can: fix poll setup to properly find and use free pollfd slots #17743
+28
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bug Description: The original code always used conn->pollinfo[0] (the first element) to store new poll setup context, regardless of whether that slot was already in use. This caused multiple poll operations on the same CAN socket to overwrite each other's context, leading to: - Lost poll waiters when multiple threads poll the same socket - Memory corruption in pollfd structures - Undefined behavior when poll_teardown tries to clean up Root Cause: The code directly assigned `info = conn->pollinfo` without checking if the slot was available, effectively always using pollinfo[0]. When a second thread called poll() on the same socket, it would overwrite the first thread's poll context. Solution: 1. Initialize info to NULL instead of conn->pollinfo 2. Before setting up poll, iterate through all CONFIG_NET_CAN_NPOLLWAITERS slots to find the first free slot (where fds == NULL) 3. Return -EBUSY if no free slots are available 4. During teardown, properly mark the slot as free by setting fds = NULL Additional Changes: - Added CONFIG_NET_CAN_NPOLLWAITERS Kconfig option (default 4) to make the maximum number of concurrent poll waiters configurable - Changed hardcoded array size from 4 to CONFIG_NET_CAN_NPOLLWAITERS - Fixed lock ordering in teardown to ensure fds is cleared before unlock Impact: - Enables multiple threads to safely poll the same CAN socket concurrently - Prevents poll context corruption in multi-threaded applications - Provides proper resource management with -EBUSY when all slots are full - Makes the number of supported concurrent pollers configurable per use case Signed-off-by: dongjiuzhu1 <[email protected]>
Donny9
requested review from
Ouss4,
raiden00pl and
xiaoxiang781216
as code owners
github-actions
bot
added
Area: Networking
anchao
approved these changes
Dec 30, 2025
xiaoxiang781216
approved these changes
Dec 30, 2025
acassis
approved these changes
Dec 30, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Bug Description:
The original code always used conn->pollinfo[0] (the first element) to store new poll setup context, regardless of whether that slot was already in use. This caused multiple poll operations on the same CAN socket to overwrite each other's context, leading to:
Root Cause:
The code directly assigned
info = conn->pollinfowithout checking if the slot was available, effectively always using pollinfo[0]. When a second thread called poll() on the same socket, it would overwrite the first thread's poll context.Solution:
Additional Changes:
Impact:
Impact
Testing
can_send
can_dump
pass base on qemu