CVE-2025-39925

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: j1939: implement NETDEV_UNREGISTER notification handler<br /> <br /> syzbot is reporting<br /> <br /> unregister_netdevice: waiting for vcan0 to become free. Usage count = 2<br /> <br /> problem, for j1939 protocol did not have NETDEV_UNREGISTER notification<br /> handler for undoing changes made by j1939_sk_bind().<br /> <br /> Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct<br /> callback") expects that a call to j1939_priv_put() can be unconditionally<br /> delayed until j1939_sk_sock_destruct() is called. But we need to call<br /> j1939_priv_put() against an extra ref held by j1939_sk_bind() call<br /> (as a part of undoing changes made by j1939_sk_bind()) as soon as<br /> NETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct()<br /> is called via j1939_sk_release()). Otherwise, the extra ref on "struct<br /> j1939_priv" held by j1939_sk_bind() call prevents "struct net_device" from<br /> dropping the usage count to 1; making it impossible for<br /> unregister_netdevice() to continue.<br /> <br /> [mkl: remove space in front of label]