| Message ID | 20210617130623.12705-1-o.rempel@pengutronix.de |
|---|---|
| State | New |
| Headers | show |
| Series | [v1] can: j1939: j1939_sk_init(): set SOCK_RCU_FREE to call sk_destruct() after RCU is done | expand |
On 17.06.2021 15:06:23, Oleksij Rempel wrote: > Set SOCK_RCU_FREE to let RCU to call sk_destruct() on completion. > Without this patch, we will run in to j1939_can_recv() after priv was > freed by j1939_sk_release()->j1939_sk_sock_destruct() > > Reported-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > Reported-by: syzbot+bdf710cfc41c186fdff3@syzkaller.appspotmail.com > Fixes: 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback") > Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de> Applied to linux-can/testing. Thanks, Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c index 56aa66147d5a..c7c1b4d4c0fb 100644 --- a/net/can/j1939/socket.c +++ b/net/can/j1939/socket.c @@ -398,6 +398,9 @@ static int j1939_sk_init(struct sock *sk) atomic_set(&jsk->skb_pending, 0); spin_lock_init(&jsk->sk_session_queue_lock); INIT_LIST_HEAD(&jsk->sk_session_queue); + + sock_set_flag(sk, SOCK_RCU_FREE); + /* j1939_sk_sock_destruct() depends on SOCK_RCU_FREE flag */ sk->sk_destruct = j1939_sk_sock_destruct; sk->sk_protocol = CAN_J1939;
Set SOCK_RCU_FREE to let RCU to call sk_destruct() on completion. Without this patch, we will run in to j1939_can_recv() after priv was freed by j1939_sk_release()->j1939_sk_sock_destruct() Reported-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Reported-by: syzbot+bdf710cfc41c186fdff3@syzkaller.appspotmail.com Fixes: 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback") Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de> --- net/can/j1939/socket.c | 3 +++ 1 file changed, 3 insertions(+)