On Wed, Apr 21, 2021 at 10:40:07AM -0700, Bjorn Andersson wrote:
> It is possible that the MHI ul_callback will be invoked immediately
> following the queueing of the skb for transmission, leading to the
> callback decrementing the refcount of the associated sk and freeing the
> skb.
>
> As such the dereference of skb and the increment of the sk refcount must
> happen before the skb is queued, to avoid the skb to be used after free
> and potentially the sk to drop its last refcount..
>
> Fixes: 6e728f321393 ("net: qrtr: Add MHI transport layer")
> Signed-off-by: Bjorn Andersson <bjorn.andersson@xxxxxxxxxx>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@xxxxxxxxxx>
Thanks,
Mani
> ---
> net/qrtr/mhi.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/net/qrtr/mhi.c b/net/qrtr/mhi.c
> index 2bf2b1943e61..fa611678af05 100644
> --- a/net/qrtr/mhi.c
> +++ b/net/qrtr/mhi.c
> @@ -50,6 +50,9 @@ static int qcom_mhi_qrtr_send(struct qrtr_endpoint *ep, struct sk_buff *skb)
> struct qrtr_mhi_dev *qdev = container_of(ep, struct qrtr_mhi_dev, ep);
> int rc;
>
> + if (skb->sk)
> + sock_hold(skb->sk);
> +
> rc = skb_linearize(skb);
> if (rc)
> goto free_skb;
> @@ -59,12 +62,11 @@ static int qcom_mhi_qrtr_send(struct qrtr_endpoint *ep, struct sk_buff *skb)
> if (rc)
> goto free_skb;
>
> - if (skb->sk)
> - sock_hold(skb->sk);
> -
> return rc;
>
> free_skb:
> + if (skb->sk)
> + sock_put(skb->sk);
> kfree_skb(skb);
>
> return rc;
> --
> 2.29.2
>
