From: syzbot <syzbot+d4e8dc385d9258220c31@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] Re: [syzbot] [can?] WARNING: refcount bug in sk_skb_reason_drop
Date: Thu, 03 Oct 2024 10:39:27 -0700 [thread overview]
Message-ID: <66fed6cf.050a0220.9ec68.0050.GAE@google.com> (raw)
In-Reply-To: <66fec2e2.050a0220.9ec68.0046.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [syzbot] [can?] WARNING: refcount bug in sk_skb_reason_drop
Author: dmantipov@yandex.ru
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7ec462100ef9142344ddbf86f2c3008b97acddbe
From eb58509f460225df7cf181a07772d577a270091b Mon Sep 17 00:00:00 2001
From: Dmitry Antipov <dmantipov@yandex.ru>
Date: Thu, 3 Oct 2024 20:24:12 +0300
Subject: [PATCH] can: fix skb reference counting in j1939_session_new()
Since 'j1939_session_skb_queue()' do an extra 'skb_get()' for each
new skb, I assume that the same should be done for an initial one
in 'j1939_session_new()' just to avoid refcount underflow.
Reported-by: syzbot+d4e8dc385d9258220c31@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d4e8dc385d9258220c31
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
net/can/j1939/transport.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
index 319f47df3330..fecee36dbb70 100644
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1505,7 +1505,8 @@ static struct j1939_session *j1939_session_new(struct j1939_priv *priv,
session->state = J1939_SESSION_NEW;
skb_queue_head_init(&session->skb_queue);
- skb_queue_tail(&session->skb_queue, skb);
+ /* Take an extra ref just like in j1939_session_skb_queue(). */
+ skb_queue_tail(&session->skb_queue, skb_get(skb));
skcb = j1939_skb_to_cb(skb);
memcpy(&session->skcb, skcb, sizeof(session->skcb));
--
2.46.2
next prev parent reply other threads:[~2024-10-03 17:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-03 16:14 [syzbot] [can?] WARNING: refcount bug in sk_skb_reason_drop syzbot
2024-10-03 17:39 ` syzbot [this message]
2024-10-03 23:34 ` Hillf Danton
2024-10-04 0:41 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=66fed6cf.050a0220.9ec68.0050.GAE@google.com \
--to=syzbot+d4e8dc385d9258220c31@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.