Re: [PATCH net-next V2] can: j1939: fix uaf warning in j1939_session_destroy

[Oleksij Rempel <o.rempel@pengutronix.de>]

Hi Edward,

On Thu, Aug 08, 2024 at 07:08:49AM +0800, Edward Adam Davis wrote:
> The root cause of this problem is when both of the following conditions
> are met simultaneously:
> [1] Introduced commit c9c0ee5f20c5, There are following rules:
> In debug builds (CONFIG_DEBUG_NET set), the reference count is always
> decremented, even when it's 1.
> 
> [2] When executing sendmsg, the newly created session did not increase the
> skb reference count, only added skb to the session's skb_queue.
> 
> The solution is:
> When creating a new session, do not add the skb to the skb_queue.
> Instead, when using skb, uniformly use j1939_session_skb_queue to add
> the skb to the queue and increase the skb reference count through it.
> 
> Reported-and-tested-by: syzbot+ad601904231505ad6617@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=ad601904231505ad6617
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>

This patch breaks j1939.
The issue can be reproduced by running following commands:
git clone git@github.com:linux-can/can-tests.git
cd can-tests/j1939/
ip link add type vcan
ip l s dev vcan0 up
./run_all.sh vcan0 vcan0


Regards,
Oleksij
-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |