Unverified Commit 23070259 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!15765 CVE-2024-56642 

Merge Pull Request from: @ci-robot 
 
PR sync from: Liu Jian <liujian56@huawei.com>
https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/WLQXR3FTFSTHSJ7ALOOWRIJ2QIXXS3EH/ 
CVE-2024-56642

Eric Dumazet (1):
  tipc: fix NULL deref in cleanup_bearer()

Kuniyuki Iwashima (1):
  tipc: Fix use-after-free of kernel socket in cleanup_bearer().

 
https://gitee.com/src-openeuler/kernel/issues/IBEAPI 
 
Link:https://gitee.com/openeuler/kernel/pulls/15765

 

Reviewed-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
Reviewed-by: default avatarLi Nan <linan122@huawei.com>
Signed-off-by: default avatarLi Nan <linan122@huawei.com>
parents aab87476 f8e66924

net/tipc/udp_media.c

+6 −1
Original line number Diff line number Diff line
@@ -803,6 +803,7 @@ static void cleanup_bearer(struct work_struct *work) 
{

	struct udp_bearer *ub = container_of(work, struct udp_bearer, work);

	struct udp_replicast *rcast, *tmp;

	struct tipc_net *tn;



	list_for_each_entry_safe(rcast, tmp, &ub->rcast.list, list) {

		dst_cache_destroy(&rcast->dst_cache);
@@ -810,10 +811,14 @@ static void cleanup_bearer(struct work_struct *work) 
		kfree_rcu(rcast, rcu);

	}



	atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);

	tn = tipc_net(sock_net(ub->ubsock->sk));



	dst_cache_destroy(&ub->rcast.dst_cache);

	udp_tunnel_sock_release(ub->ubsock);



	/* Note: could use a call_rcu() to avoid another synchronize_net() */

	synchronize_net();

	atomic_dec(&tn->wq_count);

	kfree(ub);

}