CVE-2021-4454

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.14.0-rc7+

Description A vulnerability in the Linux kernel has been resolved, related to the j1939 session deactivate() function. The issue arises from an incorrect conclusion that j1939 session deactivate() should be called with a session ref-count of at least 2. However, in some concurrent scenarios, j1939 session deactivate can be called with the session ref-count less than 2, leading to a WARN ON ONCE. The problem occurs due to a race condition between j1939 xtp rx eoma and j1939 session deactivate.

Recommendations For Linux kernel versions prior to 5.14.0-rc7+, update to a version that includes the fix for the errant WARN ON ONCE in j1939 session deactivate(). As a temporary workaround, consider disabling the j1939 session deactivate() function until a patch is available. Restrict access to the j1939 module to minimize the risk of exploitation. Avoid using the j1939 session deactivate() function in concurrent scenarios until the issue is resolved.