can: j1939: j1939_can_recv(): add priv refcounting
j1939_can_recv() can be called in parallel with socket release. In this
case sk_release and sk_destruct can be done earlier than
j1939_can_recv() is processed.
Reported-by: syzbot+ca172a0ac477ac90f045@syzkaller.appspotmail.com
Reported-by: syzbot+07ca5bce8530070a5650@syzkaller.appspotmail.com
Reported-by: syzbot+a47537d3964ef6c874e1@syzkaller.appspotmail.com
Fixes: 9d71dd0c70 ("can: add support of SAE J1939 protocol")
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
This commit is contained in:
Oleksij Rempel
Marc Kleine-Budde
parent
8d7a5f000e
commit
ddeeb7d482
|
|
@ -51,6 +51,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data)
|
||||||
if (!skb)
|
if (!skb)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
j1939_priv_get(priv);
|
||||||
can_skb_set_owner(skb, iskb->sk);
|
can_skb_set_owner(skb, iskb->sk);
|
||||||
|
|
||||||
/* get a pointer to the header of the skb
|
/* get a pointer to the header of the skb
|
||||||
|
|
@ -104,6 +105,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data)
|
||||||
j1939_simple_recv(priv, skb);
|
j1939_simple_recv(priv, skb);
|
||||||
j1939_sk_recv(priv, skb);
|
j1939_sk_recv(priv, skb);
|
||||||
done:
|
done:
|
||||||
|
j1939_priv_put(priv);
|
||||||
kfree_skb(skb);
|
kfree_skb(skb);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue