Fixes: c9c0ee5f20c5 ("net: skbuff: Skip early return in skb_unref when debugging")
Root cause: In commit c9c0ee5f20c5, There are following rules:
In debug builds (CONFIG_DEBUG_NET set), the reference count is always decremented, even when it's 1
This rule will cause the reference count to be 0 after calling skc_unref,
which will affect the release of skb.
The solution I have proposed is:
Before releasing the SKB during session destroy, check the CONFIG_DEBUG_NET
and skb_unref return values to avoid reference count errors caused by a
reference count of 0 when releasing the SKB.
#syz test: net-next 743ff02152bc
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
index 4be73de5033c..50d96015c125 100644
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -278,7 +278,8 @@ static void j1939_session_destroy(struct j1939_session *session)
while ((skb = skb_dequeue(&session->skb_queue)) != NULL) {
/* drop ref taken in j1939_session_skb_queue() */
- skb_unref(skb);
+ if (skb_unref(skb) && IS_ENABLED(CONFIG_DEBUG_NET))
+ skb_get(skb);
kfree_skb(skb);
}
__j1939_session_drop(session);
