can: j1939: j1939_session_new(): fix skb reference counting

Since j1939_session_skb_queue() does an extra skb_get() for each new
skb, do the same for the initial one in j1939_session_new() to avoid
refcount underflow.

Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=d4e8dc385d9258220c31
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Dmitry Antipov <[email protected]>
Tested-by: Oleksij Rempel <[email protected]>
Acked-by: Oleksij Rempel <[email protected]>
Link: https://patch.msgid.link/[email protected]
[mkl: clean up commit message]
Signed-off-by: Marc Kleine-Budde <[email protected]>

diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
index 319f47df33300cb2a96e646bccbc700e89dd384e..95f7a7e65a73fa74243ddf5141d0fe81c7c6734d 100644 (file)
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1505,7 +1505,7 @@ static struct j1939_session *j1939_session_new(struct j1939_priv *priv,
        session->state = J1939_SESSION_NEW;
 
        skb_queue_head_init(&session->skb_queue);
-       skb_queue_tail(&session->skb_queue, skb);
+       skb_queue_tail(&session->skb_queue, skb_get(skb));
 
        skcb = j1939_skb_to_cb(skb);
        memcpy(&session->skcb, skcb, sizeof(session->skcb));