On 14.07.2021 13:16:02, Oleksij Rempel wrote:
> The j1939_session_deactivate() is decrementing the session ref-count and
> potentially can free() the session. This would cause use-after-free
> situation.
> 
> However, the code calling j1939_session_deactivate() does always hold
> another reference to the session, so that it would not be free()ed in
> this code path.
> 
> This patch adds a comment to make this clear and a WARN_ON, to ensure
> that future changes will not violate this requirement. Further this
> patch avoids dereferencing the session pointer as a precaution to avoid
> use-after-free if the session is actually free()ed.
> 
> Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
> Reported-by: Xiaochen Zou <xzou017@ucr.edu>
> Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>

Added to linux-can/testing

regards,
Marc
-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |