Merge branch 'fix-uaf-bugs-caused-by-ax25_release'

Duoming Zhou says: ==================== Fix UAF bugs caused by ax25_release() The first patch fixes UAF bugs in ax25_send_control, and the second patch fixes UAF bugs in ax25 timers. ==================== Link: https://lore.kernel.org/r/cover.1648472006.git.duoming@zju.edu.cnSigned-off-by: Paolo Abeni <pabeni@redhat.com>

Merge branch 'fix-uaf-bugs-caused-by-ax25_release'
Duoming Zhou says: ==================== Fix UAF bugs caused by ax25_release() The first patch fixes UAF bugs in ax25_send_control, and the second patch fixes UAF bugs in ax25 timers. ==================== Link: https://lore.kernel.org/r/cover.1648472006.git.duoming@zju.edu.cnSigned-off-by: Paolo Abeni <pabeni@redhat.com>
807ca64e · Paolo Abeni · f19c4445 · 82e31755 · 807ca64e
Commit 807ca64e authored Mar 29, 2022 by Paolo Abeni
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 4 deletions

net/ax25/af_ax25.c net/ax25/af_ax25.c +9 -4

No files found.
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -991,10 +991,6 @@ static int ax25_release(struct socket *sock)
 	sock_orphan(sk);
 	ax25 = sk_to_ax25(sk);
 	ax25_dev = ax25->ax25_dev;
-	if (ax25_dev) {
-		dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker);
-		ax25_dev_put(ax25_dev);
-	}

 	if (sk->sk_type == SOCK_SEQPACKET) {
 		switch (ax25->state) {
@@ -1056,6 +1052,15 @@ static int ax25_release(struct socket *sock)
 		sk->sk_state_change(sk);
 		ax25_destroy_socket(ax25);
 	}
+	if (ax25_dev) {
+		del_timer_sync(&ax25->timer);
+		del_timer_sync(&ax25->t1timer);
+		del_timer_sync(&ax25->t2timer);
+		del_timer_sync(&ax25->t3timer);
+		del_timer_sync(&ax25->idletimer);
+		dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker);
+		ax25_dev_put(ax25_dev);
+	}

 	sock->sk   = NULL;
 	release_sock(sk);