Similar to tun_net_xmit(), we have to orphan the skb
before queuing it, otherwise we may use the socket when
purging the queue after it is freed by user-space.
Reported-and-tested-by: syzbot+6720d64f31c081c2f...@syzkaller.appspotmail.com
Fixes: 28fb4e59a47d ("net: qrtr: Expose tunneling endpoint to user space")
Cc: Bjorn Andersson <bjorn.anders...@linaro.org>
Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
---
net/qrtr/tun.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c
index 15ce9b642b25..54a565dcfef3 100644
--- a/net/qrtr/tun.c
+++ b/net/qrtr/tun.c
@@ -20,6 +20,7 @@ static int qrtr_tun_send(struct qrtr_endpoint *ep, struct
sk_buff *skb)
{
struct qrtr_tun *tun = container_of(ep, struct qrtr_tun, ep);
+ skb_orphan(skb);
skb_queue_tail(&tun->queue, skb);
/* wake up any blocking processes, waiting for new data */
--
2.27.0
