{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2021-4454", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T02:29:43.631Z", "datePublished": "2025-03-27T16:37:09.381Z", "dateUpdated": "2026-05-23T15:18:40.946Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-23T15:18:40.946Z" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate\n\nThe conclusion \"j1939_session_deactivate() should be called with a\nsession ref-count of at least 2\" is incorrect. In some concurrent\nscenarios, j1939_session_deactivate can be called with the session\nref-count less than 2. But there is not any problem because it\nwill check the session active state before session putting in\nj1939_session_deactivate_locked().\n\nHere is the concurrent scenario of the problem reported by syzbot\nand my reproduction log.\n\n cpu0 cpu1\n j1939_xtp_rx_eoma\nj1939_xtp_rx_abort_one\n j1939_session_get_by_addr [kref == 2]\nj1939_session_get_by_addr [kref == 3]\nj1939_session_deactivate [kref == 2]\nj1939_session_put [kref == 1]\n\t\t\t\tj1939_session_completed\n\t\t\t\tj1939_session_deactivate\n\t\t\t\tWARN_ON_ONCE(kref < 2)\n\n=====================================================\nWARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70\nCPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014\nRIP: 0010:j1939_session_deactivate+0x5f/0x70\nCall Trace:\n j1939_session_deactivate_activate_next+0x11/0x28\n j1939_xtp_rx_eoma+0x12a/0x180\n j1939_tp_recv+0x4a2/0x510\n j1939_can_recv+0x226/0x380\n can_rcv_filter+0xf8/0x220\n can_receive+0x102/0x220\n ? process_backlog+0xf0/0x2c0\n can_rcv+0x53/0xf0\n __netif_receive_skb_one_core+0x67/0x90\n ? process_backlog+0x97/0x2c0\n __netif_receive_skb+0x22/0x80" } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "net/can/j1939/transport.c" ], "versions": [ { "version": "7eef18c0479ba5d9f54fba30cd77c233ebca3eb1", "lessThan": "6950df42a03c9ac9290503ced3f371199cb68fa9", "status": "affected", "versionType": "git" }, { "version": "55dd22c5d029423f513fd849e633adf0e9c10d0c", "lessThan": "b6d44072117bba057d50f7a2f96e5d070c65926d", "status": "affected", "versionType": "git" }, { "version": "0c71437dd50dd687c15d8ca80b3b68f10bb21d63", "lessThan": "9ab896775f98ff54b68512f345eed178bf961084", "status": "affected", "versionType": "git" }, { "version": "0c71437dd50dd687c15d8ca80b3b68f10bb21d63", "lessThan": "1740a1e45eee65099a92fb502e1e67e63aad277d", "status": "affected", "versionType": "git" }, { "version": "0c71437dd50dd687c15d8ca80b3b68f10bb21d63", "lessThan": "d0553680f94c49bbe0e39eb50d033ba563b4212d", "status": "affected", "versionType": "git" }, { "version": "5e1fc537c1be332aef9621ca9146aeb3ba59522f", "status": "affected", "versionType": "git" }, { "version": "5.4.138", "lessThan": "5.4.232", "status": "affected", "versionType": "semver" }, { "version": "5.10.56", "lessThan": "5.10.168", "status": "affected", "versionType": "semver" }, { "version": "5.13.8", "lessThan": "5.14", "status": "affected", "versionType": "semver" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "net/can/j1939/transport.c" ], "versions": [ { "version": "5.14", "status": "affected" }, { "version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver" }, { "version": "5.4.232", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.10.168", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.15.93", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.1.11", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.138", "versionEndExcluding": "5.4.232" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.56", "versionEndExcluding": "5.10.168" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "5.15.93" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.1.11" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.2" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13.8" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/6950df42a03c9ac9290503ced3f371199cb68fa9" }, { "url": "https://git.kernel.org/stable/c/b6d44072117bba057d50f7a2f96e5d070c65926d" }, { "url": "https://git.kernel.org/stable/c/9ab896775f98ff54b68512f345eed178bf961084" }, { "url": "https://git.kernel.org/stable/c/1740a1e45eee65099a92fb502e1e67e63aad277d" }, { "url": "https://git.kernel.org/stable/c/d0553680f94c49bbe0e39eb50d033ba563b4212d" } ], "title": "can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate", "x_generator": { "engine": "bippy-1.2.0" } } } }