From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Bjorn Andersson <bjorn.andersson@linaro.org>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.12 07/17] net: qrtr: Avoid potential use after free in MHI send
Date: Wed, 5 May 2021 14:06:02 +0200 [thread overview]
Message-ID: <20210505112325.195251818@linuxfoundation.org> (raw)
In-Reply-To: <20210505112324.956720416@linuxfoundation.org>
From: Bjorn Andersson <bjorn.andersson@linaro.org>
commit 47a017f33943278570c072bc71681809b2567b3a upstream.
It is possible that the MHI ul_callback will be invoked immediately
following the queueing of the skb for transmission, leading to the
callback decrementing the refcount of the associated sk and freeing the
skb.
As such the dereference of skb and the increment of the sk refcount must
happen before the skb is queued, to avoid the skb to be used after free
and potentially the sk to drop its last refcount..
Fixes: 6e728f321393 ("net: qrtr: Add MHI transport layer")
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/mhi.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/net/qrtr/mhi.c
+++ b/net/qrtr/mhi.c
@@ -50,6 +50,9 @@ static int qcom_mhi_qrtr_send(struct qrt
struct qrtr_mhi_dev *qdev = container_of(ep, struct qrtr_mhi_dev, ep);
int rc;
+ if (skb->sk)
+ sock_hold(skb->sk);
+
rc = skb_linearize(skb);
if (rc)
goto free_skb;
@@ -59,12 +62,11 @@ static int qcom_mhi_qrtr_send(struct qrt
if (rc)
goto free_skb;
- if (skb->sk)
- sock_hold(skb->sk);
-
return rc;
free_skb:
+ if (skb->sk)
+ sock_put(skb->sk);
kfree_skb(skb);
return rc;
next prev parent reply other threads:[~2021-05-05 12:10 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-05 12:05 [PATCH 5.12 00/17] 5.12.2-rc1 review Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.12 01/17] mips: Do not include hi and lo in clobber list for R6 Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.12 02/17] netfilter: conntrack: Make global sysctls readonly in non-init netns Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.12 03/17] net: usb: ax88179_178a: initialize local variables before use Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.12 04/17] drm/i915: Disable runtime power management during shutdown Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 05/17] bpf: Fix masking negation logic upon negative dst register Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 06/17] bpf: Fix leakage of uninitialized bpf stack under speculation Greg Kroah-Hartman
2021-05-05 12:06 ` Greg Kroah-Hartman [this message]
2021-05-05 12:06 ` [PATCH 5.12 08/17] ovl: fix leaked dentry Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 09/17] ovl: allow upperdir inside lowerdir Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 10/17] ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 11/17] ALSA: usb-audio: Fix implicit sync clearance at stopping stream Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 12/17] USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 13/17] USB: Add reset-resume quirk for WD19s Realtek Hub Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 14/17] ASoC: ak4458: Add MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 15/17] ASoC: ak5558: " Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 16/17] platform/x86: thinkpad_acpi: Correct thermal sensor allocation Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 17/17] perf/core: Fix unconditional security_locked_down() call Greg Kroah-Hartman
2021-05-05 17:52 ` [PATCH 5.12 00/17] 5.12.2-rc1 review Fox Chen
2021-05-05 19:09 ` Naresh Kamboju
2021-05-05 19:44 ` Florian Fainelli
2021-05-06 1:59 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210505112325.195251818@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bjorn.andersson@linaro.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--subject='Re: [PATCH 5.12 07/17] net: qrtr: Avoid potential use after free in MHI send' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).