Both session and session->priv may be freed in
j1939_session_deactivate_locked(). It leads to potential UAF read and write
in j1939_session_list_unlock(). The free chain is
j1939_session_deactivate_locked()->j1939_session_put()->__j1939_session_release()->j1939_session_destroy().
To fix this bug, I moved j1939_session_put() behind
j1939_session_deactivate_locked(), and guarded it with a check of active
since the session would be freed only if active is true.
 
Signed-off-by: Xiaochen Zou <xzou017@ucr.edu>
---
 net/can/j1939/transport.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)