forked from Minki/linux
can: j1939: j1939_can_recv(): add priv refcounting
j1939_can_recv() can be called in parallel with socket release. In this
case sk_release and sk_destruct can be done earlier than
j1939_can_recv() is processed.
Reported-by: syzbot+ca172a0ac477ac90f045@syzkaller.appspotmail.com
Reported-by: syzbot+07ca5bce8530070a5650@syzkaller.appspotmail.com
Reported-by: syzbot+a47537d3964ef6c874e1@syzkaller.appspotmail.com
Fixes: 9d71dd0c70
("can: add support of SAE J1939 protocol")
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
This commit is contained in:
parent
8d7a5f000e
commit
ddeeb7d482
@ -51,6 +51,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data)
|
||||
if (!skb)
|
||||
return;
|
||||
|
||||
j1939_priv_get(priv);
|
||||
can_skb_set_owner(skb, iskb->sk);
|
||||
|
||||
/* get a pointer to the header of the skb
|
||||
@ -104,6 +105,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data)
|
||||
j1939_simple_recv(priv, skb);
|
||||
j1939_sk_recv(priv, skb);
|
||||
done:
|
||||
j1939_priv_put(priv);
|
||||
kfree_skb(skb);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user