--- /dev/null
+From 47a017f33943278570c072bc71681809b2567b3a Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Wed, 21 Apr 2021 10:40:07 -0700
+Subject: net: qrtr: Avoid potential use after free in MHI send
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+commit 47a017f33943278570c072bc71681809b2567b3a upstream.
+
+It is possible that the MHI ul_callback will be invoked immediately
+following the queueing of the skb for transmission, leading to the
+callback decrementing the refcount of the associated sk and freeing the
+skb.
+
+As such the dereference of skb and the increment of the sk refcount must
+happen before the skb is queued, to avoid the skb to be used after free
+and potentially the sk to drop its last refcount..
+
+Fixes: 6e728f321393 ("net: qrtr: Add MHI transport layer")
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/mhi.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/qrtr/mhi.c
++++ b/net/qrtr/mhi.c
+@@ -50,6 +50,9 @@ static int qcom_mhi_qrtr_send(struct qrt
+ struct qrtr_mhi_dev *qdev = container_of(ep, struct qrtr_mhi_dev, ep);
+ int rc;
+
++ if (skb->sk)
++ sock_hold(skb->sk);
++
+ rc = skb_linearize(skb);
+ if (rc)
+ goto free_skb;
+@@ -59,12 +62,11 @@ static int qcom_mhi_qrtr_send(struct qrt
+ if (rc)
+ goto free_skb;
+
+- if (skb->sk)
+- sock_hold(skb->sk);
+-
+ return rc;
+
+ free_skb:
++ if (skb->sk)
++ sock_put(skb->sk);
+ kfree_skb(skb);
+
+ return rc;
projects / thirdparty / kernel / stable-queue.git / commitdiff
