Commit ddeeb7d4 authored by Oleksij Rempel's avatar Oleksij Rempel Committed by Marc Kleine-Budde

can: j1939: j1939_can_recv(): add priv refcounting

j1939_can_recv() can be called in parallel with socket release. In this
case sk_release and sk_destruct can be done earlier than
j1939_can_recv() is processed.

Reported-by: syzbot+ca172a0ac477ac90f045@syzkaller.appspotmail.com
Reported-by: syzbot+07ca5bce8530070a5650@syzkaller.appspotmail.com
Reported-by: syzbot+a47537d3964ef6c874e1@syzkaller.appspotmail.com
Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol")
Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
parent 8d7a5f00
...@@ -51,6 +51,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data) ...@@ -51,6 +51,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data)
if (!skb) if (!skb)
return; return;
j1939_priv_get(priv);
can_skb_set_owner(skb, iskb->sk); can_skb_set_owner(skb, iskb->sk);
/* get a pointer to the header of the skb /* get a pointer to the header of the skb
...@@ -104,6 +105,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data) ...@@ -104,6 +105,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data)
j1939_simple_recv(priv, skb); j1939_simple_recv(priv, skb);
j1939_sk_recv(priv, skb); j1939_sk_recv(priv, skb);
done: done:
j1939_priv_put(priv);
kfree_skb(skb); kfree_skb(skb);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment