On 7/23/20 11:00 PM, Cong Wang wrote:
> On Thu, Jul 23, 2020 at 10:35 PM Eric Dumazet wrote:
>>
>>
>>
>> On 7/23/20 9:50 PM, Cong Wang wrote:
>>> Similar to tun_net_xmit(), we have to orphan the skb
>>> before queuing it, otherwise we may use the socket when
>>> purging the queue after it is fr
On Thu, Jul 23, 2020 at 11:00 PM Cong Wang wrote:
>
> I said socket, not sock. I believe the socket can be gone while the sock is
> still there.
Hmm, looks llike sock_orphan() should be called...
On Thu, Jul 23, 2020 at 10:35 PM Eric Dumazet wrote:
>
>
>
> On 7/23/20 9:50 PM, Cong Wang wrote:
> > Similar to tun_net_xmit(), we have to orphan the skb
> > before queuing it, otherwise we may use the socket when
> > purging the queue after it is freed by user-space.
>
> Which socket ?
sk->sk_w
On 7/23/20 9:50 PM, Cong Wang wrote:
> Similar to tun_net_xmit(), we have to orphan the skb
> before queuing it, otherwise we may use the socket when
> purging the queue after it is freed by user-space.
Which socket ?
By not calling skb_orphan(skb), this skb should own a reference on skb->sk
Similar to tun_net_xmit(), we have to orphan the skb
before queuing it, otherwise we may use the socket when
purging the queue after it is freed by user-space.
Reported-and-tested-by: syzbot+6720d64f31c081c2f...@syzkaller.appspotmail.com
Fixes: 28fb4e59a47d ("net: qrtr: Expose tunneling endpoint t
