From: Cong Wang <xiyou.wangc...@gmail.com> Date: Fri, 1 May 2020 11:11:08 -0700
> Gengming reported a UAF in lec_arp_clear_vccs(), > where we add a vcc socket to an entry in a per-device > list but free the socket without removing it from the > list when vcc->dev is NULL. > > We need to call lec_vcc_close() to search and remove > those entries contain the vcc being destroyed. This can > be done by calling vcc->push(vcc, NULL) unconditionally > in vcc_destroy_socket(). > > Another issue discovered by Gengming's reproducer is > the vcc->dev may point to the static device lecatm_dev, > for which we don't need to register/unregister device, > so we can just check for vcc->dev->ops->owner. > > Reported-by: Gengming Liu <l.dmxcsn...@gmail.com> > Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com> Applied.
