{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2021-4454","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T02:29:43.631Z","datePublished":"2025-03-27T16:37:09.381Z","dateUpdated":"2026-05-11T13:44:06.714Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T13:44:06.714Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate\n\nThe conclusion \"j1939_session_deactivate() should be called with a\nsession ref-count of at least 2\" is incorrect. In some concurrent\nscenarios, j1939_session_deactivate can be called with the session\nref-count less than 2. But there is not any problem because it\nwill check the session active state before session putting in\nj1939_session_deactivate_locked().\n\nHere is the concurrent scenario of the problem reported by syzbot\nand my reproduction log.\n\n        cpu0                            cpu1\n                                j1939_xtp_rx_eoma\nj1939_xtp_rx_abort_one\n                                j1939_session_get_by_addr [kref == 2]\nj1939_session_get_by_addr [kref == 3]\nj1939_session_deactivate [kref == 2]\nj1939_session_put [kref == 1]\n\t\t\t\tj1939_session_completed\n\t\t\t\tj1939_session_deactivate\n\t\t\t\tWARN_ON_ONCE(kref < 2)\n\n=====================================================\nWARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70\nCPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014\nRIP: 0010:j1939_session_deactivate+0x5f/0x70\nCall Trace:\n j1939_session_deactivate_activate_next+0x11/0x28\n j1939_xtp_rx_eoma+0x12a/0x180\n j1939_tp_recv+0x4a2/0x510\n j1939_can_recv+0x226/0x380\n can_rcv_filter+0xf8/0x220\n can_receive+0x102/0x220\n ? process_backlog+0xf0/0x2c0\n can_rcv+0x53/0xf0\n __netif_receive_skb_one_core+0x67/0x90\n ? process_backlog+0x97/0x2c0\n __netif_receive_skb+0x22/0x80"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/can/j1939/transport.c"],"versions":[{"version":"7eef18c0479ba5d9f54fba30cd77c233ebca3eb1","lessThan":"6950df42a03c9ac9290503ced3f371199cb68fa9","status":"affected","versionType":"git"},{"version":"55dd22c5d029423f513fd849e633adf0e9c10d0c","lessThan":"b6d44072117bba057d50f7a2f96e5d070c65926d","status":"affected","versionType":"git"},{"version":"0c71437dd50dd687c15d8ca80b3b68f10bb21d63","lessThan":"9ab896775f98ff54b68512f345eed178bf961084","status":"affected","versionType":"git"},{"version":"0c71437dd50dd687c15d8ca80b3b68f10bb21d63","lessThan":"1740a1e45eee65099a92fb502e1e67e63aad277d","status":"affected","versionType":"git"},{"version":"0c71437dd50dd687c15d8ca80b3b68f10bb21d63","lessThan":"d0553680f94c49bbe0e39eb50d033ba563b4212d","status":"affected","versionType":"git"},{"version":"5e1fc537c1be332aef9621ca9146aeb3ba59522f","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/can/j1939/transport.c"],"versions":[{"version":"5.14","status":"affected"},{"version":"0","lessThan":"5.14","status":"unaffected","versionType":"semver"},{"version":"5.4.232","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.168","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.93","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.11","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.138","versionEndExcluding":"5.4.232"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.56","versionEndExcluding":"5.10.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"5.15.93"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.1.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6950df42a03c9ac9290503ced3f371199cb68fa9"},{"url":"https://git.kernel.org/stable/c/b6d44072117bba057d50f7a2f96e5d070c65926d"},{"url":"https://git.kernel.org/stable/c/9ab896775f98ff54b68512f345eed178bf961084"},{"url":"https://git.kernel.org/stable/c/1740a1e45eee65099a92fb502e1e67e63aad277d"},{"url":"https://git.kernel.org/stable/c/d0553680f94c49bbe0e39eb50d033ba563b4212d"}],"title":"can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate","x_generator":{"engine":"bippy-1.2.0"}}}}