can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_g...

Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct
callback") expects that a call to j1939_priv_put() can be unconditionally
delayed until j1939_sk_sock_destruct() is called. But a refcount leak will
happen when j1939_sk_bind() is called again after j1939_local_ecu_get()
 from previous j1939_sk_bind() call returned an error. We need to call
j1939_priv_put() before j1939_sk_bind() returns an error.

Fixes: 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback")
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/4f49a1bc-a528-42ad-86c0-187268ab6535@I-love.SAKURA.ne.jp
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
index 70ebc861ea2a93ef49ab169bb7b1aa3357036962..88e7160d424896cced403a9eeca05e92ca3e3101 100644 (file)
--- a/net/can/j1939/socket.c
+++ b/net/can/j1939/socket.c
@@ -521,6 +521,9 @@ static int j1939_sk_bind(struct socket *sock, struct sockaddr *uaddr, int len)
        ret = j1939_local_ecu_get(priv, jsk->addr.src_name, jsk->addr.sa);
        if (ret) {
                j1939_netdev_stop(priv);
+               jsk->priv = NULL;
+               synchronize_rcu();
+               j1939_priv_put(priv);
                goto out_release_sock;
        }