189ff16722
Because atalk_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with atalk_recvmsg().
A use-after-free for skb occurs with the following flow.
```
atalk_ioctl() -> skb_peek()
atalk_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
```
Add sk->sk_receive_queue.lock to atalk_ioctl() to fix this issue.
Fixes:
|
||
---|---|---|
.. | ||
aarp.c | ||
atalk_proc.c | ||
ddp.c | ||
dev.c | ||
Kconfig | ||
Makefile | ||
sysctl_net_atalk.c |