4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx> The irda_setsockopt() function conditionally allocates memory for a new self->ias_object or, in some cases, reuses the existing self->ias_object. Existing objects were incorrectly reinserted into the LM_IAS database which corrupted the doubly linked list used for the hashbin implementation of the LM_IAS database. When combined with a memory leak in irda_bind(), this issue could be leveraged to create a use-after-free vulnerability in the hashbin list. This patch fixes the issue by only inserting newly allocated objects into the database. CVE-2018-6555 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxx> Reviewed-by: Seth Arnold <seth.arnold@xxxxxxxxxxxxx> Reviewed-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/irda/af_irda.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/net/irda/af_irda.c +++ b/net/irda/af_irda.c @@ -2027,7 +2027,11 @@ static int irda_setsockopt(struct socket err = -EINVAL; goto out; } - irias_insert_object(ias_obj); + + /* Only insert newly allocated objects */ + if (free_ias) + irias_insert_object(ias_obj); + kfree(ias_opt); break; case IRLMP_IAS_DEL: