af9f691f0f
We have to detach sock from socket in qrtr_release(),
otherwise skb->sk may still reference to this socket
when the skb is released in tun->queue, particularly
sk->sk_wq still points to &sock->wq, which leads to
a UAF.
Reported-and-tested-by: syzbot+6720d64f31c081c2f708@syzkaller.appspotmail.com
Fixes:
|
||
---|---|---|
.. | ||
Kconfig | ||
Makefile | ||
mhi.c | ||
ns.c | ||
qrtr.c | ||
qrtr.h | ||
smd.c | ||
tun.c |