can: j1939: j1939_can_recv(): add priv refcounting

j1939_can_recv() can be called in parallel with socket release. In this
case sk_release and sk_destruct can be done earlier than
j1939_can_recv() is processed.

Reported-by: syzbot+ca172a0ac477ac90f045@syzkaller.appspotmail.com
Reported-by: syzbot+07ca5bce8530070a5650@syzkaller.appspotmail.com
Reported-by: syzbot+a47537d3964ef6c874e1@syzkaller.appspotmail.com
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>

diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c
index 8dc935dc2e546b0f6a16734ddd0e16d4bf9a84c7..2afcf27c72c83bb370089f0551ed808ced6c828b 100644 (file)
--- a/net/can/j1939/main.c
+++ b/net/can/j1939/main.c
@@ -51,6 +51,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data)
        if (!skb)
                return;
 
+       j1939_priv_get(priv);
        can_skb_set_owner(skb, iskb->sk);
 
        /* get a pointer to the header of the skb
@@ -104,6 +105,7 @@ static void j1939_can_recv(struct sk_buff *iskb, void *data)
        j1939_simple_recv(priv, skb);
        j1939_sk_recv(priv, skb);
  done:
+       j1939_priv_put(priv);
        kfree_skb(skb);
 }