In the Linux kernel, the following vulnerability has been resolved:
can: j1939: j1939netdevstart(): fix UAF for rxkref of j1939priv
It will trigger UAF for rxkref of j1939priv as following.
cpu0 cpu1
j1939skbind(socket0, ndev0, ...) j1939netdevstart j1939skbind(socket1, ndev0, ...) j1939netdevstart j1939privset j1939privgetbyndevlocked j1939jskadd ..... j1939netdevstop krefputlock(&priv->rxkref, ...) krefget(&priv->rxkref, ...) REFCOUNT_WARN("addition on 0;...")
==================================================== refcountt: addition on 0; use-after-free. WARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcountwarnsaturate+0x169/0x1e0 RIP: 0010:refcountwarnsaturate+0x169/0x1e0 Call Trace: j1939netdevstart+0x68b/0x920 j1939skbind+0x426/0xeb0 ? securitysocket_bind+0x83/0xb0
The rxkref's krefget() and krefput() should use j1939netdev_lock to protect.