can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed

Tetsuo Handa · gregkh · commit 2d8836fab007 · 2025-09-19T16:29:58.000+02:00
[ Upstream commit f214744 ] Commit 25fe97c ("can: j1939: move j1939_priv_put() into sk_destruct callback") expects that a call to j1939_priv_put() can be unconditionally delayed until j1939_sk_sock_destruct() is called. But a refcount leak will happen when j1939_sk_bind() is called again after j1939_local_ecu_get() from previous j1939_sk_bind() call returned an error. We need to call j1939_priv_put() before j1939_sk_bind() returns an error. Fixes: 25fe97c ("can: j1939: move j1939_priv_put() into sk_destruct callback") Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Tested-by: Oleksij Rempel <o.rempel@pengutronix.de> Acked-by: Oleksij Rempel <o.rempel@pengutronix.de> Link: https://patch.msgid.link/4f49a1bc-a528-42ad-86c0-187268ab6535@I-love.SAKURA.ne.jp Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
@@ -520,6 +520,9 @@ static int j1939_sk_bind(struct socket *sock, struct sockaddr *uaddr, int len)
 	ret = j1939_local_ecu_get(priv, jsk->addr.src_name, jsk->addr.sa);
 	if (ret) {
 		j1939_netdev_stop(priv);
+		jsk->priv = NULL;
+		synchronize_rcu();
+		j1939_priv_put(priv);
 		goto out_release_sock;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -520,6 +520,9 @@ static int j1939_sk_bind(struct socket sock, struct sockaddr uaddr, int len)`
`520`	`520`	`ret = j1939_local_ecu_get(priv, jsk->addr.src_name, jsk->addr.sa);`
`521`	`521`	`if (ret) {`
`522`	`522`	`j1939_netdev_stop(priv);`
	`523`	`+ jsk->priv = NULL;`
	`524`	`+ synchronize_rcu();`
	`525`	`+ j1939_priv_put(priv);`
`523`	`526`	`goto out_release_sock;`
`524`	`527`	`}`
`525`	`528`