From: Eric Dumazet <eduma...@google.com> Date: Sun, 10 Mar 2019 09:07:14 -0700
> In case of failure x25_connect() does a x25_neigh_put(x25->neighbour) > but forgets to clear x25->neighbour pointer, thus triggering use-after-free. > > Since the socket is visible in x25_list, we need to hold x25_list_lock > to protect the operation. > > syzbot report : ... > Signed-off-by: Eric Dumazet <eduma...@google.com> > Reported-by: syzbot+04babcefcd396fabe...@syzkaller.appspotmail.com Applied and queued up for -stable.
