From: Greg Kroah-Hartman Date: Tue, 4 May 2021 17:09:33 +0000 (+0200) Subject: 5.12-stable patches X-Git-Tag: v4.19.190~27 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f19b9046d379ff71efb7b895e12dfb9e8ddf2b3e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.12-stable patches added patches: net-qrtr-avoid-potential-use-after-free-in-mhi-send.patch --- diff --git a/queue-5.12/net-qrtr-avoid-potential-use-after-free-in-mhi-send.patch b/queue-5.12/net-qrtr-avoid-potential-use-after-free-in-mhi-send.patch new file mode 100644 index 00000000000..d74ede30e64 --- /dev/null +++ b/queue-5.12/net-qrtr-avoid-potential-use-after-free-in-mhi-send.patch @@ -0,0 +1,53 @@ +From 47a017f33943278570c072bc71681809b2567b3a Mon Sep 17 00:00:00 2001 +From: Bjorn Andersson +Date: Wed, 21 Apr 2021 10:40:07 -0700 +Subject: net: qrtr: Avoid potential use after free in MHI send + +From: Bjorn Andersson + +commit 47a017f33943278570c072bc71681809b2567b3a upstream. + +It is possible that the MHI ul_callback will be invoked immediately +following the queueing of the skb for transmission, leading to the +callback decrementing the refcount of the associated sk and freeing the +skb. + +As such the dereference of skb and the increment of the sk refcount must +happen before the skb is queued, to avoid the skb to be used after free +and potentially the sk to drop its last refcount.. + +Fixes: 6e728f321393 ("net: qrtr: Add MHI transport layer") +Signed-off-by: Bjorn Andersson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/mhi.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/qrtr/mhi.c ++++ b/net/qrtr/mhi.c +@@ -50,6 +50,9 @@ static int qcom_mhi_qrtr_send(struct qrt + struct qrtr_mhi_dev *qdev = container_of(ep, struct qrtr_mhi_dev, ep); + int rc; + ++ if (skb->sk) ++ sock_hold(skb->sk); ++ + rc = skb_linearize(skb); + if (rc) + goto free_skb; +@@ -59,12 +62,11 @@ static int qcom_mhi_qrtr_send(struct qrt + if (rc) + goto free_skb; + +- if (skb->sk) +- sock_hold(skb->sk); +- + return rc; + + free_skb: ++ if (skb->sk) ++ sock_put(skb->sk); + kfree_skb(skb); + + return rc; diff --git a/queue-5.12/series b/queue-5.12/series index 0386fe124c4..086b3245711 100644 --- a/queue-5.12/series +++ b/queue-5.12/series @@ -4,3 +4,4 @@ net-usb-ax88179_178a-initialize-local-variables-before-use.patch drm-i915-disable-runtime-power-management-during-shutdown.patch bpf-fix-masking-negation-logic-upon-negative-dst-register.patch bpf-fix-leakage-of-uninitialized-bpf-stack-under-speculation.patch +net-qrtr-avoid-potential-use-after-free-in-mhi-send.patch