github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-10 07:32:29 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
dd66b42854
linux/net
History
Manivannan Sadhasivam 7809fea20c net: qrtr: ns: Fix use-after-free in driver remove() 
In the remove callback, if a packet arrives after destroy_workqueue() is
called, but before sock_release(), the qrtr_ns_data_ready() callback will
try to queue the work, causing use-after-free issue.

Fix this issue by saving the default 'sk_data_ready' callback during
qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at
the start of remove(). This ensures that even if a packet arrives after
destroy_workqueue(), the work struct will not be dereferenced.

Note that it is also required to ensure that the RX threads are completed
before destroying the workqueue, because the threads could be using the
qrtr_ns_data_ready() callback.

Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-qrtr-fix-v3-5-00a8a5ff2b51@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13 15:34:07 -07:00
..
6lowpan
9p Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
802 Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
8021q Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
appletalk Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
atm atm: lec: fix use-after-free in sock_def_readable() 2026-03-14 08:05:47 -07:00
ax25 Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
batman-adv Here are two batman-adv bugfixes: 2026-04-08 18:50:27 -07:00
bluetooth Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync 2026-04-01 16:48:28 -04:00
bpf Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
bridge bridge: guard local VLAN-0 FDB helpers against NULL vlan group 2026-04-03 14:45:51 -07:00
caif Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
can can: raw: fix ro->uniq use-after-free in raw_rcv() 2026-04-09 18:51:42 +02:00
ceph libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() 2026-03-11 10:18:56 +01:00
core bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops 2026-04-12 12:28:05 -07:00
dcb Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
devlink devlink: Fix incorrect skb socket family dumping 2026-04-08 19:34:38 -07:00
dns_resolver net/dns_resolver: use credential guards in dns_query() 2025-11-04 12:36:51 +01:00
dsa Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ethernet bonding: prevent potential infinite loop in bond_header_parse() 2026-03-16 19:29:45 -07:00
ethtool Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
handshake treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
hsr net: hsr: fix VLAN add unwind on slave errors 2026-04-02 08:23:49 -07:00
ieee802154 Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ife
ipv4 ipsec-2026-04-08 2026-04-08 18:54:32 -07:00
ipv6 net: ioam6: fix OOB and missing lock 2026-04-08 19:08:56 -07:00
iucv Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
kcm kcm: fix zero-frag skb in frag_list on partial sendmsg error 2026-02-23 17:26:55 -08:00
key net: af_key: zero aligned sockaddr tail in PF_KEY exports 2026-04-07 11:08:24 +02:00
l2tp l2tp: Drop large packets with UDP encap 2026-04-09 10:19:05 +02:00
l3mdev
lapb treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
llc treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
mac80211 wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure 2026-03-18 09:09:58 +01:00
mac802154 bonding: prevent potential infinite loop in bond_header_parse() 2026-03-16 19:29:45 -07:00
mctp mctp: route: hold key->lock in mctp_flow_prepare_output() 2026-03-10 11:38:36 +01:00
mpls mpls: add seqcount to protect the platform_label{,s} pair 2026-03-26 18:32:14 -07:00
mptcp Revert "mptcp: add needs_id for netlink appending addr" 2026-04-08 19:31:16 -07:00
ncsi net: ncsi: fix skb leak in error paths 2026-03-06 17:34:48 -08:00
netfilter netfilter: nfnetlink_queue: make hash table per queue 2026-04-08 13:34:51 +02:00
netlabel Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
netlink Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
netrom Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nfc NFC: digital: Bounds check NFC-A cascade depth in SDD response handler 2026-04-12 11:40:45 -07:00
nsh
openvswitch openvswitch: validate MPLS set/set_masked payload length 2026-03-20 18:37:31 -07:00
packet net: fix fanout UAF in packet_release() via NETDEV_UP race 2026-03-23 17:07:19 -07:00
phonet bonding: prevent potential infinite loop in bond_header_parse() 2026-03-16 19:29:45 -07:00
psample treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
psp Including fixes from IPsec, Bluetooth and netfilter 2026-02-26 08:00:13 -08:00
qrtr net: qrtr: ns: Fix use-after-free in driver remove() 2026-04-13 15:34:07 -07:00
rds net/rds: Restrict use of RDS/IB to the initial network namespace 2026-04-12 13:33:19 -07:00
rfkill net: rfkill: prevent unlimited numbers of rfkill events from being created 2026-04-07 12:35:04 +02:00
rose net: rose: reject truncated CLEAR_REQUEST frames in state machines 2026-04-12 13:09:45 -07:00
rxrpc rxrpc: proc: size address buffers for %pISpc output 2026-04-08 18:45:32 -07:00
sched net/sched: act_ct: Only release RCU read lock after ct_ft 2026-04-12 09:26:15 -07:00
sctp Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
shaper net: shaper: protect from late creation of hierarchy 2026-03-19 13:47:15 +01:00
smc net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer 2026-03-20 18:59:30 -07:00
strparser Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-11-13 12:35:38 -08:00
sunrpc nfsd-7.0 fixes: 2026-03-18 14:27:11 -07:00
switchdev treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
tipc tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG 2026-04-03 15:31:17 -07:00
tls net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption 2026-04-07 14:53:42 +02:00
unix af_unix: read UNIX_DIAG_VFS data under unix_state_lock 2026-04-08 19:33:52 -07:00
vmw_vsock vsock: fix buffer size clamping order 2026-04-12 14:31:50 -07:00
wireless wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down 2026-03-06 12:41:59 +01:00
x25 net/x25: Fix overflow when accumulating packets 2026-04-02 13:36:08 +02:00
xdp xsk: validate MTU against usable frame size on bind 2026-04-06 18:43:51 -07:00
xfrm xfrm_user: fix info leak in build_report() 2026-04-07 10:36:38 +02:00
compat.c socket: Unify getsockname and getpeername implementation 2025-11-26 13:45:23 -07:00
devres.c
Kconfig net: Kconfig: discourage drop_monitor enablement 2025-10-17 16:29:26 -07:00
Kconfig.debug
Makefile
socket.c net: Drop the lock in skb_may_tx_timestamp() 2026-02-24 11:27:29 +01:00
sysctl_net.c