Commit 807ca64e authored by Paolo Abeni's avatar Paolo Abeni
Browse files

Merge branch 'fix-uaf-bugs-caused-by-ax25_release' 

Duoming Zhou says:

====================
Fix UAF bugs caused by ax25_release()

The first patch fixes UAF bugs in ax25_send_control, and
the second patch fixes UAF bugs in ax25 timers.
====================

Link: https://lore.kernel.org/r/cover.1648472006.git.duoming@zju.edu.cn


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents f19c4445 82e31755

net/ax25/af_ax25.c

+9 −4
Original line number Diff line number Diff line
@@ -991,10 +991,6 @@ static int ax25_release(struct socket *sock) 
	sock_orphan(sk);

	ax25 = sk_to_ax25(sk);

	ax25_dev = ax25->ax25_dev;

	if (ax25_dev) {

		dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker);

		ax25_dev_put(ax25_dev);

	}



	if (sk->sk_type == SOCK_SEQPACKET) {

		switch (ax25->state) {
@@ -1056,6 +1052,15 @@ static int ax25_release(struct socket *sock) 
		sk->sk_state_change(sk);

		ax25_destroy_socket(ax25);

	}

	if (ax25_dev) {

		del_timer_sync(&ax25->timer);

		del_timer_sync(&ax25->t1timer);

		del_timer_sync(&ax25->t2timer);

		del_timer_sync(&ax25->t3timer);

		del_timer_sync(&ax25->idletimer);

		dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker);

		ax25_dev_put(ax25_dev);

	}



	sock->sk   = NULL;

	release_sock(sk);