From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Oleksij Rempel <o.rempel@pengutronix.de>,
Marc Kleine-Budde <mkl@pengutronix.de>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 56/78] can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed
Date: Wed, 17 Sep 2025 14:35:17 +0200 [thread overview]
Message-ID: <20250917123330.937621360@linuxfoundation.org> (raw)
In-Reply-To: <20250917123329.576087662@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit f214744c8a27c3c1da6b538c232da22cd027530e ]
Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct
callback") expects that a call to j1939_priv_put() can be unconditionally
delayed until j1939_sk_sock_destruct() is called. But a refcount leak will
happen when j1939_sk_bind() is called again after j1939_local_ecu_get()
from previous j1939_sk_bind() call returned an error. We need to call
j1939_priv_put() before j1939_sk_bind() returns an error.
Fixes: 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback")
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/4f49a1bc-a528-42ad-86c0-187268ab6535@I-love.SAKURA.ne.jp
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/can/j1939/socket.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
index 0a4267a24263b..502975fd5f97e 100644
--- a/net/can/j1939/socket.c
+++ b/net/can/j1939/socket.c
@@ -520,6 +520,9 @@ static int j1939_sk_bind(struct socket *sock, struct sockaddr *uaddr, int len)
ret = j1939_local_ecu_get(priv, jsk->addr.src_name, jsk->addr.sa);
if (ret) {
j1939_netdev_stop(priv);
+ jsk->priv = NULL;
+ synchronize_rcu();
+ j1939_priv_put(priv);
goto out_release_sock;
}
--
2.51.0
next prev parent reply other threads:[~2025-09-17 13:02 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-17 12:34 [PATCH 6.1 00/78] 6.1.153-rc1 review Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 01/78] kunit: kasan_test: disable fortify string checker on kasan_strings() test Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 02/78] mm: introduce and use {pgd,p4d}_populate_kernel() Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 03/78] media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 04/78] media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 05/78] media: i2c: imx214: Fix link frequency validation Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 06/78] net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 07/78] ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 08/78] tracing: Do not add length to print format in synthetic events Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 09/78] flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 10/78] NFSv4: Dont clear capabilities that wont be reset Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 11/78] NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 12/78] NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 13/78] tracing: Fix tracing_marker may trigger page fault during preempt_disable Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 14/78] ftrace/samples: Fix function size computation Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 15/78] NFSv4/flexfiles: Fix layout merge mirror check Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 16/78] tracing: Silence warning when chunk allocation fails in trace_pid_write Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 17/78] s390/cpum_cf: Deny all sampling events by counter PMU Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 18/78] tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 19/78] proc: fix type confusion in pde_set_flags() Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 20/78] KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 21/78] KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func() Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 22/78] KVM: SVM: Set synthesized TSA CPUID flags Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 23/78] EDAC/altera: Delete an inappropriate dma_free_coherent() call Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 24/78] Revert "SUNRPC: Dont allow waiting for exiting tasks" Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 25/78] compiler-clang.h: define __SANITIZE_*__ macros only when undefined Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 26/78] mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 27/78] ocfs2: fix recursive semaphore deadlock in fiemap call Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 28/78] net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 29/78] mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 30/78] mtd: rawnand: stm32_fmc2: fix ECC overwrite Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 31/78] fuse: check if copy_file_range() returns larger than requested size Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 32/78] fuse: prevent overflow in copy_file_range return value Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 33/78] libceph: fix invalid accesses to ceph_connection_v1_info Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 34/78] mm/damon/sysfs: fix use-after-free in state_show() Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 35/78] mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 36/78] mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 37/78] mtd: nand: raw: atmel: Fix comment in timings preparation Greg Kroah-Hartman
2025-09-17 12:34 ` [PATCH 6.1 38/78] mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 39/78] mm/khugepaged: convert hpage_collapse_scan_pmd() to use folios Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 40/78] mm/khugepaged: fix the address passed to notifier on testing young Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 41/78] kernfs: Fix UAF in polling when open file is released Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 42/78] mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 43/78] Input: iqs7222 - avoid enabling unused interrupts Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 44/78] Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 45/78] Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 46/78] tty: hvc_console: Call hvc_kick in hvc_write unconditionally Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 47/78] serial: sc16is7xx: fix bug in flow control levels init Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 48/78] dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 49/78] USB: serial: option: add Telit Cinterion FN990A w/audio compositions Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 50/78] USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 51/78] net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 52/78] tunnels: reset the GSO metadata before reusing the skb Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 53/78] docs: networking: can: change bcm_msg_head frames member to support flexible array Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 54/78] igb: fix link test skipping when interface is admin down Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 55/78] i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Greg Kroah-Hartman
2025-09-17 12:35 ` Greg Kroah-Hartman [this message]
2025-09-17 12:35 ` [PATCH 6.1 57/78] can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 58/78] can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 59/78] net: hsr: Disable promiscuous mode in offload mode Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 60/78] net: hsr: Add support for MC filtering at the slave device Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 61/78] net: hsr: Add VLAN CTAG filter support Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 62/78] hsr: use rtnl lock when iterating over ports Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 63/78] hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 64/78] dmaengine: idxd: Fix double free in idxd_setup_wqs() Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 65/78] dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 66/78] regulator: sy7636a: fix lifecycle of power good gpio Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 67/78] hrtimer: Remove unused function Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 68/78] hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active() Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 69/78] hrtimers: Unconditionally update target CPU base after offline timer migration Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 70/78] USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 71/78] dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 72/78] dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 73/78] phy: tegra: xusb: fix device and OF node leak at probe Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 74/78] phy: ti-pipe3: fix device leak at unbind Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 75/78] drm/amdgpu: fix a memory leak in fence cleanup when unloading Greg Kroah-Hartman
2025-09-17 14:33 ` Deucher, Alexander
2025-09-17 14:45 ` Greg Kroah-Hartman
2025-09-17 19:55 ` Deucher, Alexander
2025-09-17 12:35 ` [PATCH 6.1 76/78] drm/i915/power: fix size for for_each_set_bit() in abox iteration Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 77/78] soc: qcom: mdt_loader: Fix error return values in mdt_header_valid() Greg Kroah-Hartman
2025-09-17 12:35 ` [PATCH 6.1 78/78] soc: qcom: mdt_loader: Deal with zero e_shentsize Greg Kroah-Hartman
2025-09-17 17:56 ` [PATCH 6.1 00/78] 6.1.153-rc1 review Hardik Garg
2025-09-17 20:08 ` Jon Hunter
2025-09-17 23:53 ` Peter Schneider
2025-09-18 5:18 ` Brett A C Sheffield
2025-09-18 13:06 ` [PATCH 6.1 00/78] " Ron Economos
2025-09-18 13:28 ` Anders Roxell
2025-09-19 7:19 ` Greg Kroah-Hartman
2025-09-18 17:26 ` Florian Fainelli
2025-09-18 19:19 ` Pavel Machek
2025-09-18 20:15 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250917123330.937621360@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=mkl@pengutronix.de \
--cc=o.rempel@pengutronix.de \
--cc=patches@lists.linux.dev \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).