git/linux-nf
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git synced 2026-04-03 23:38:12 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
598dbba9919c5e36c54fe1709b557d64120cb94b
linux-nf/net
History
Hyunwoo Kim 598dbba991 Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold 
sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately
releases the lock without holding a reference to the socket. A concurrent
close() can free the socket between the lock release and the subsequent
sk->sk_state access, resulting in a use-after-free.

Other functions in the same file (sco_sock_timeout(), sco_conn_del())
correctly use sco_sock_hold() to safely hold a reference under the lock.

Fix by using sco_sock_hold() to take a reference before releasing the
lock, and adding sock_put() on all exit paths.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-03-19 14:42:35 -04:00
..
6lowpan
net: replace ND_PRINTK with dynamic debug
2025-07-10 15:27:32 -07:00
9p
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
802
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
8021q
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
appletalk
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
atm
atm: lec: fix use-after-free in sock_def_readable()
2026-03-14 08:05:47 -07:00
ax25
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
batman-adv
Merge tag 'batadv-net-pullrequest-20260317' of https://git.open-mesh.org/linux-merge
2026-03-18 17:41:00 -07:00
bluetooth
Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
2026-03-19 14:42:35 -04:00
bpf
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
bridge
bridge: cfm: Fix race condition in peer_mep deletion
2026-03-12 18:33:52 -07:00
caif
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
can
can: bcm: fix locking for bcm_op runtime updates
2026-03-02 10:24:40 +01:00
ceph
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
core
neighbour: restore protocol != 0 check in pneigh update
2026-03-11 19:04:55 -07:00
dcb
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
devlink
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
dns_resolver
net/dns_resolver: use credential guards in dns_query()
2025-11-04 12:36:51 +01:00
dsa
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
ethernet
bonding: prevent potential infinite loop in bond_header_parse()
2026-03-16 19:29:45 -07:00
ethtool
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
handshake
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
hsr
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
ieee802154
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
ife
ipv4
icmp: fix NULL pointer dereference in icmp_tag_validation()
2026-03-19 09:27:36 -07:00
ipv6
ipv6: add NULL checks for idev in SRv6 paths
2026-03-18 17:23:43 -07:00
iucv
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
kcm
kcm: fix zero-frag skb in frag_list on partial sendmsg error
2026-02-23 17:26:55 -08:00
key
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
l2tp
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
l3mdev
net: fib_rules: Fix iif / oif matching on L3 master device
2025-04-15 17:54:56 -07:00
lapb
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
llc
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
mac80211
wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
2026-03-18 09:09:58 +01:00
mac802154
bonding: prevent potential infinite loop in bond_header_parse()
2026-03-16 19:29:45 -07:00
mctp
mctp: route: hold key->lock in mctp_flow_prepare_output()
2026-03-10 11:38:36 +01:00
mpls
mpls: add missing unregister_netdevice_notifier to mpls_init
2026-03-12 19:25:59 -07:00
mptcp
MPTCP: fix lock class name family in pm_nl_create_listen_socket
2026-03-19 09:37:48 -07:00
ncsi
net: ncsi: fix skb leak in error paths
2026-03-06 17:34:48 -08:00
netfilter
nfnetlink_osf: validate individual option lengths in fingerprints
2026-03-19 10:27:07 +01:00
netlabel
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
netlink
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
netrom
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nfc
nfc: rawsock: cancel tx_work before socket teardown
2026-03-04 18:18:57 -08:00
nsh
openvswitch
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
packet
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
phonet
bonding: prevent potential infinite loop in bond_header_parse()
2026-03-16 19:29:45 -07:00
psample
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
psp
Merge tag 'net-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-02-26 08:00:13 -08:00
qrtr
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
rds
net/rds: Fix circular locking dependency in rds_tcp_tune
2026-03-03 12:57:06 +01:00
rfkill
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
rose
net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
2026-03-12 19:23:59 -07:00
rxrpc
rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer()
2026-03-06 17:49:52 -08:00
sched
clsact: Fix use-after-free in init/destroy rollback asymmetry
2026-03-17 12:09:16 +01:00
sctp
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
shaper
net: shaper: protect from late creation of hierarchy
2026-03-19 13:47:15 +01:00
smc
net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
2026-03-16 19:31:28 -07:00
strparser
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2025-11-13 12:35:38 -08:00
sunrpc
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
switchdev
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
tipc
tipc: fix divide-by-zero in tipc_sk_filter_connect()
2026-03-11 18:56:28 -07:00
tls
Merge tag 'net-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-02-26 08:00:13 -08:00
unix
af_unix: Give up GC if MSG_PEEK intervened.
2026-03-12 13:37:18 -07:00
vmw_vsock
Merge tag 'net-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-02-26 08:00:13 -08:00
wireless
wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
2026-03-06 12:41:59 +01:00
x25
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
xdp
xsk: Fix zero-copy AF_XDP fragment drop
2026-02-28 08:55:11 -08:00
xfrm
Merge tag 'net-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-02-26 08:00:13 -08:00
compat.c
socket: Unify getsockname and getpeername implementation
2025-11-26 13:45:23 -07:00
devres.c
Kconfig
net: Kconfig: discourage drop_monitor enablement
2025-10-17 16:29:26 -07:00
Kconfig.debug
Makefile
psp: base PSP device support
2025-09-18 12:32:06 +02:00
socket.c
net: Drop the lock in skb_may_tx_timestamp()
2026-02-24 11:27:29 +01:00
sysctl_net.c