Merge branch 'fix-uaf-bugs-caused-by-ax25_release'

Paolo Abeni · Paolo Abeni · commit 807ca64e1546 · 2022-03-29T10:24:37.000+02:00
Duoming Zhou says: ==================== Fix UAF bugs caused by ax25_release() The first patch fixes UAF bugs in ax25_send_control, and the second patch fixes UAF bugs in ax25 timers. ==================== Link: https://lore.kernel.org/r/cover.1648472006.git.duoming@zju.edu.cn Signed-off-by: Paolo Abeni <pabeni@redhat.com>
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
@@ -991,10 +991,6 @@ static int ax25_release(struct socket *sock)
 	sock_orphan(sk);
 	ax25 = sk_to_ax25(sk);
 	ax25_dev = ax25->ax25_dev;
-	if (ax25_dev) {
-		dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker);
-		ax25_dev_put(ax25_dev);
-	}
 
 	if (sk->sk_type == SOCK_SEQPACKET) {
 		switch (ax25->state) {
@@ -1056,6 +1052,15 @@ static int ax25_release(struct socket *sock)
 		sk->sk_state_change(sk);
 		ax25_destroy_socket(ax25);
 	}
+	if (ax25_dev) {
+		del_timer_sync(&ax25->timer);
+		del_timer_sync(&ax25->t1timer);
+		del_timer_sync(&ax25->t2timer);
+		del_timer_sync(&ax25->t3timer);
+		del_timer_sync(&ax25->idletimer);
+		dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker);
+		ax25_dev_put(ax25_dev);
+	}
 
 	sock->sk   = NULL;
 	release_sock(sk);
