From: Oleksij Rempel o.rempel@pengutronix.de
mainline inclusion from mainline-v5.4-rc8 commit ddeeb7d4822ed06d79fc15e822b70dce3fa77e39 category: bugfix bugzilla: 38684 CVE: NA
---------------------------
j1939_can_recv() can be called in parallel with socket release. In this case sk_release and sk_destruct can be done earlier than j1939_can_recv() is processed.
Reported-by: syzbot+ca172a0ac477ac90f045@syzkaller.appspotmail.com Reported-by: syzbot+07ca5bce8530070a5650@syzkaller.appspotmail.com Reported-by: syzbot+a47537d3964ef6c874e1@syzkaller.appspotmail.com Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Signed-off-by: Oleksij Rempel o.rempel@pengutronix.de Signed-off-by: Zhang Changzhong zhangchangzhong@huawei.com Reviewed-by: YueHaibing yuehaibing@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- net/can/j1939/main.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c index 8dc935dc2e54..2afcf27c72c8 100644 --- a/net/can/j1939/main.c +++ b/net/can/j1939/main.c @@ -51,6 +51,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data) if (!skb) return;
+ j1939_priv_get(priv); can_skb_set_owner(skb, iskb->sk);
/* get a pointer to the header of the skb @@ -104,6 +105,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data) j1939_simple_recv(priv, skb); j1939_sk_recv(priv, skb); done: + j1939_priv_put(priv); kfree_skb(skb); }