CVE-2021-4454

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate<br /> <br /> The conclusion "j1939_session_deactivate() should be called with a<br /> session ref-count of at least 2" is incorrect. In some concurrent<br /> scenarios, j1939_session_deactivate can be called with the session<br /> ref-count less than 2. But there is not any problem because it<br /> will check the session active state before session putting in<br /> j1939_session_deactivate_locked().<br /> <br /> Here is the concurrent scenario of the problem reported by syzbot<br /> and my reproduction log.<br /> <br /> cpu0 cpu1<br /> j1939_xtp_rx_eoma<br /> j1939_xtp_rx_abort_one<br /> j1939_session_get_by_addr [kref == 2]<br /> j1939_session_get_by_addr [kref == 3]<br /> j1939_session_deactivate [kref == 2]<br /> j1939_session_put [kref == 1]<br /> j1939_session_completed<br /> j1939_session_deactivate<br /> WARN_ON_ONCE(kref