On 11/18/22 16:44, Xin Long wrote:
The race exists beteen tipc_topsrv_accept() and tipc_conn_close(), one is allocating the con while the other is freeing it and there is no proper lock protecting it. Therefore, a null-pointer-defer and a use-after-free may be triggered, see details on each patch. Xin Long (2): tipc: set con sock in tipc_conn_alloc tipc: add an extra conn_get in tipc_conn_alloc net/tipc/topsrv.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-)
Series Acked-by: Jon Maloy <jma...@redhat.com> _______________________________________________ tipc-discussion mailing list tipc-discussion@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tipc-discussion
