On 7/13/21 9:30 AM, Xiaochen Zou wrote: > j1939_session_destroy() will free both session and session->priv. It > leads to multiple use-after-free read and write in > j1939_session_deactivate() when session was freed in > j1939_session_deactivate_locked(). The free chain is > j1939_session_deactivate_locked()-> > j1939_session_put()->__j1939_session_release()->j1939_session_destroy(). > To fix this bug, I moved j1939_session_put() behind > j1939_session_deactivate_locked() and guarded it with a check of > active since the session would be freed only if active is true. Please include your Signed-off-by. See https://elixir.bootlin.com/linux/v5.12/source/Documentation/process/submitting-patches.rst#L356 Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Attachment:
signature.asc
Description: OpenPGP digital signature