can: j1939: j1939_session_deactivate(): clarify lifetime of session object
stable inclusion from stable-5.10.56 commit 55dd22c5d029423f513fd849e633adf0e9c10d0c bugzilla: 176004 https://gitee.com/openeuler/kernel/issues/I4DYZ4 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=55dd22c5d029423f513fd849e633adf0e9c10d0c -------------------------------- commit 0c71437d upstream. The j1939_session_deactivate() is decrementing the session ref-count and potentially can free() the session. This would cause use-after-free situation. However, the code calling j1939_session_deactivate() does always hold another reference to the session, so that it would not be free()ed in this code path. This patch adds a comment to make this clear and a WARN_ON, to ensure that future changes will not violate this requirement. Further this patch avoids dereferencing the session pointer as a precaution to avoid use-after-free if the session is actually free()ed. Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol") Link: https://lore.kernel.org/r/20210714111602.24021-1-o.rempel@pengutronix.de Reported-by:Xiaochen Zou <xzou017@ucr.edu> Signed-off-by:
Loading
Please sign in to comment