Hi,
On Mon, Jul 12, 2021 at 03:40:46PM -0700, Xiaochen Zou wrote:
Hi, It looks like there are multiple use-after-free accesses in j1939_session_deactivate()
static bool j1939_session_deactivate(struct j1939_session *session) { bool active;
j1939_session_list_lock(session->priv); active = j1939_session_deactivate_locked(session); //session can be freed inside j1939_session_list_unlock(session->priv); // It causes UAF read and write
return active; }
session can be freed by j1939_session_deactivate_locked->j1939_session_put->__j1939_session_release->j1939_session_destroy->kfree. Therefore it makes the unlock function perform UAF access.
Potentially I would agree, but this function takes "session" as property. Any function which provided session pointer should care about own ref counting. If described scenarios really happens, then there is problem on other place. Was you able to reproduce it?
Regards, Oleksij