linux_dsm_epyc7002/net
Bjorn Andersson 48ec949ac9 net: qrtr: Avoid potential use after free in MHI send
commit 47a017f33943278570c072bc71681809b2567b3a upstream.

It is possible that the MHI ul_callback will be invoked immediately
following the queueing of the skb for transmission, leading to the
callback decrementing the refcount of the associated sk and freeing the
skb.

As such the dereference of skb and the increment of the sk refcount must
happen before the skb is queued, to avoid the skb to be used after free
and potentially the sk to drop its last refcount..

Fixes: 6e728f3213 ("net: qrtr: Add MHI transport layer")
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-05-07 11:04:31 +02:00
..
6lowpan
9p net: 9p: advance iov on empty read 2021-04-07 15:00:08 +02:00
802
8021q net: vlan: avoid leaks on register_vlan_dev() failures 2021-01-17 14:16:55 +01:00
appletalk appletalk: Fix skb allocation size in loopback case 2021-04-07 15:00:08 +02:00
atm
ax25
batman-adv batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field 2021-04-14 08:41:59 +02:00
bluetooth Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data 2021-03-07 12:34:10 +01:00
bpf bpf: Reject too big ctx_size_in for raw_tp test run 2021-01-27 11:55:07 +01:00
bpfilter
bridge netfilter: bridge: add pre_exit hooks for ebtable unregistration 2021-04-21 13:00:55 +02:00
caif
can can: isotp: fix msg_namelen values depending on CAN_REQUIRED_SIZE 2021-04-14 08:42:07 +02:00
ceph
core gro: ensure frag0 meets IP header alignment 2021-04-21 13:00:58 +02:00
dcb net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands 2021-01-23 16:04:01 +01:00
dccp ipv6: weaken the v4mapped source check 2021-03-30 14:32:01 +02:00
decnet
dns_resolver
dsa net: dsa: Fix type was not set for devlink port 2021-04-14 08:42:07 +02:00
ethernet
ethtool ethtool: pause: make sure we init driver stats 2021-04-21 13:00:57 +02:00
hsr net: hsr: Reset MAC header for Tx path 2021-04-14 08:42:02 +02:00
ieee802154 net: ieee802154: forbid monitor for add llsec seclevel 2021-04-21 13:00:53 +02:00
ife
ipv4 net: Make tcp_allowed_congestion_control readonly in non-init netns 2021-04-21 13:00:57 +02:00
ipv6 net: ip6_tunnel: Unregister catch-all devices 2021-04-21 13:00:57 +02:00
iucv net/af_iucv: remove WARN_ONCE on malformed RX packets 2021-03-07 12:34:05 +01:00
kcm
key af_key: relax availability checks for skb size calculation 2021-02-13 13:55:02 +01:00
l2tp net: l2tp: reduce log level of messages in receive path, add counter instead 2021-03-17 17:06:11 +01:00
l3mdev
lapb net: lapb: Copy the skb before sending a packet 2021-02-10 09:29:14 +01:00
llc
mac80211 mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN 2021-04-21 13:00:54 +02:00
mac802154 net: mac802154: Fix general protection fault 2021-04-14 08:42:13 +02:00
mpls net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 2021-03-17 17:06:11 +01:00
mptcp mptcp: forbit mcast-related sockopt on MPTCP sockets 2021-04-14 08:42:09 +02:00
ncsi net/ncsi: Avoid channel_monitor hrtimer deadlock 2021-04-14 08:42:08 +02:00
netfilter netfilter: conntrack: Make global sysctls readonly in non-init netns 2021-05-07 11:04:31 +02:00
netlabel cipso,calipso: resolve a number of problems with the DOI refcounts 2021-03-17 17:06:15 +01:00
netlink
netrom
nfc nfc: Avoid endless loops caused by repeated llcp_sock_connect() 2021-04-14 08:41:57 +02:00
nsh
openvswitch openvswitch: fix send of uninitialized stack memory in ct limit reply 2021-04-14 08:42:10 +02:00
packet net: fix proc_fs init handling in af_packet and tls 2021-02-23 15:53:23 +01:00
phonet
psample net: psample: Fix netlink skb length with tunnel info 2021-03-07 12:34:07 +01:00
qrtr net: qrtr: Avoid potential use after free in MHI send 2021-05-07 11:04:31 +02:00
rds net/rds: Fix a use after free in rds_message_map_pages 2021-04-14 08:42:09 +02:00
rfkill
rose rose: Fix Null pointer dereference in rose_send_frame() 2020-11-20 10:04:58 -08:00
rxrpc rxrpc: Fix clearance of Tx/Rx ring when releasing a call 2021-02-17 11:02:28 +01:00
sched Revert "net: sched: bump refcount for new action in ACT replace mode" 2021-04-14 08:42:14 +02:00
sctp net/sctp: fix race condition in sctp_destroy_sock 2021-04-21 13:00:50 +02:00
smc
strparser
sunrpc rpc: fix NULL dereference on kmalloc failure 2021-04-07 15:00:04 +02:00
switchdev net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP 2021-02-07 15:37:12 +01:00
tipc tipc: increment the tmp aead refcnt before attaching it 2021-04-14 08:42:11 +02:00
tls net: fix proc_fs init handling in af_packet and tls 2021-02-23 15:53:23 +01:00
unix
vmw_vsock selinux: vsock: Set SID for socket returned by accept() 2021-03-30 14:32:03 +02:00
wimax
wireless cfg80211: remove WARN_ON() in cfg80211_sme_connect 2021-04-14 08:42:13 +02:00
x25 net/x25: prevent a couple of overflows 2020-12-02 17:26:36 -08:00
xdp xsk: Clear pool even for inactive queues 2021-01-27 11:55:10 +01:00
xfrm xfrm: BEET mode doesn't support fragments for inner packets 2021-04-21 13:00:51 +02:00
compat.c
devres.c
Kconfig
Makefile
socket.c
sysctl_net.c