Unverified Commit 0c5d5a06 authored Jan 16, 2024 by openeuler-ci-bot Committed by Gitee Jan 16, 2024

!3989 [sync] PR-3668: net/rose: Fix Use-After-Free in rose_ioctl

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/3668 
 
PR sync from: Lu Wei <luwei32@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/7W3QPUDCJLV33NJJQ6MHPWY5LWGDGVS6/ 
 
https://gitee.com/src-openeuler/kernel/issues/I8RXMW 
 
Link:https://gitee.com/openeuler/kernel/pulls/3989

 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

parents d4462587 07b30bbe

net/rose/af_rose.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -1299,9 +1299,11 @@ static int rose_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
		case TIOCINQ: {
		struct sk_buff *skb;
		long amount = 0L;
		/* These two are safe on a single CPU system as only user tasks fiddle here */

		spin_lock_irq(&sk->sk_receive_queue.lock);
		if ((skb = skb_peek(&sk->sk_receive_queue)) != NULL)
		amount = skb->len;
		spin_unlock_irq(&sk->sk_receive_queue.lock);
		return put_user(amount, (unsigned int __user *) argp);
		}