summaryrefslogtreecommitdiff
path: root/net/can
diff options
context:
space:
mode:
authorOleksij Rempel <o.rempel@pengutronix.de>2019-11-09 18:11:18 +0300
committerMarc Kleine-Budde <mkl@pengutronix.de>2019-11-13 12:42:34 +0300
commitddeeb7d4822ed06d79fc15e822b70dce3fa77e39 (patch)
tree713c5ce1c43002e213c0870fb022e98de903d614 /net/can
parent8d7a5f000e235f1dfc61862197d4e8e72c18c6fc (diff)
downloadlinux-ddeeb7d4822ed06d79fc15e822b70dce3fa77e39.tar.xz
can: j1939: j1939_can_recv(): add priv refcounting
j1939_can_recv() can be called in parallel with socket release. In this case sk_release and sk_destruct can be done earlier than j1939_can_recv() is processed. Reported-by: syzbot+ca172a0ac477ac90f045@syzkaller.appspotmail.com Reported-by: syzbot+07ca5bce8530070a5650@syzkaller.appspotmail.com Reported-by: syzbot+a47537d3964ef6c874e1@syzkaller.appspotmail.com Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Diffstat (limited to 'net/can')
-rw-r--r--net/can/j1939/main.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c
index 8dc935dc2e54..2afcf27c72c8 100644
--- a/net/can/j1939/main.c
+++ b/net/can/j1939/main.c
@@ -51,6 +51,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data)
if (!skb)
return;
+ j1939_priv_get(priv);
can_skb_set_owner(skb, iskb->sk);
/* get a pointer to the header of the skb
@@ -104,6 +105,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data)
j1939_simple_recv(priv, skb);
j1939_sk_recv(priv, skb);
done:
+ j1939_priv_put(priv);
kfree_skb(skb);
}