From: Oleksij Rempel <o.rempel@pengutronix.de>
To: dev.kurt@vandijck-laurijssen.be, mkl@pengutronix.de, wg@grandegger.com
Cc: Oleksij Rempel <o.rempel@pengutronix.de>,
Xiaochen Zou <xzou017@ucr.edu>,
kernel@pengutronix.de, linux-can@vger.kernel.org,
netdev@vger.kernel.org, David Jander <david@protonic.nl>,
Zhang Changzhong <zhangchangzhong@huawei.com>
Subject: [PATCH v1] can: j1939: j1939_session_deactivate(): clarify lifetime of session object
Date: Wed, 14 Jul 2021 13:16:02 +0200 [thread overview]
Message-ID: <20210714111602.24021-1-o.rempel@pengutronix.de> (raw)
The j1939_session_deactivate() is decrementing the session ref-count and
potentially can free() the session. This would cause use-after-free
situation.
However, the code calling j1939_session_deactivate() does always hold
another reference to the session, so that it would not be free()ed in
this code path.
This patch adds a comment to make this clear and a WARN_ON, to ensure
that future changes will not violate this requirement. Further this
patch avoids dereferencing the session pointer as a precaution to avoid
use-after-free if the session is actually free()ed.
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Reported-by: Xiaochen Zou <xzou017@ucr.edu>
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
---
net/can/j1939/transport.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
index cb358646e382..cff9812a5585 100644
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1056,11 +1056,16 @@ static bool j1939_session_deactivate_locked(struct j1939_session *session)
static bool j1939_session_deactivate(struct j1939_session *session)
{
+ struct j1939_priv *priv = session->priv;
bool active;
- j1939_session_list_lock(session->priv);
+ j1939_session_list_lock(priv);
+ /* This function should be called with a session ref-count of at
+ * least 2.
+ */
+ WARN_ON_ONCE(kref_read(&session->kref) < 2);
active = j1939_session_deactivate_locked(session);
- j1939_session_list_unlock(session->priv);
+ j1939_session_list_unlock(priv);
return active;
}
--
2.30.2
next reply other threads:[~2021-07-14 11:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-14 11:16 Oleksij Rempel [this message]
2021-07-14 19:32 ` [PATCH v1] can: j1939: j1939_session_deactivate(): clarify lifetime of session object Marc Kleine-Budde
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210714111602.24021-1-o.rempel@pengutronix.de \
--to=o.rempel@pengutronix.de \
--cc=david@protonic.nl \
--cc=dev.kurt@vandijck-laurijssen.be \
--cc=kernel@pengutronix.de \
--cc=linux-can@vger.kernel.org \
--cc=mkl@pengutronix.de \
--cc=netdev@vger.kernel.org \
--cc=wg@grandegger.com \
--cc=xzou017@ucr.edu \
--cc=zhangchangzhong@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.