diff options
| author | Cong Wang <[email protected]> | 2020-05-01 11:11:08 -0700 |
|---|---|---|
| committer | David S. Miller <[email protected]> | 2020-05-04 11:59:20 -0700 |
| commit | 93a2014afbace907178afc3c9c1e62c9a338595a (patch) | |
| tree | 4d072dccbc4a89676c4c0b16a27162c9a4cdbe79 /tools/perf/scripts/python/syscall-counts-by-pid.py | |
| parent | 44d95cc6b10ff7439d45839c96c581cb4368c088 (diff) | |
atm: fix a UAF in lec_arp_clear_vccs()
Gengming reported a UAF in lec_arp_clear_vccs(),
where we add a vcc socket to an entry in a per-device
list but free the socket without removing it from the
list when vcc->dev is NULL.
We need to call lec_vcc_close() to search and remove
those entries contain the vcc being destroyed. This can
be done by calling vcc->push(vcc, NULL) unconditionally
in vcc_destroy_socket().
Another issue discovered by Gengming's reproducer is
the vcc->dev may point to the static device lecatm_dev,
for which we don't need to register/unregister device,
so we can just check for vcc->dev->ops->owner.
Reported-by: Gengming Liu <[email protected]>
Signed-off-by: Cong Wang <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python/syscall-counts-by-pid.py')
0 files changed, 0 insertions, 0 deletions