Similar to tun_net_xmit(), we have to orphan the skb before queuing it, otherwise we may use the socket when purging the queue after it is freed by user-space.
Reported-and-tested-by: [email protected] Fixes: 28fb4e59a47d ("net: qrtr: Expose tunneling endpoint to user space") Cc: Bjorn Andersson <[email protected]> Signed-off-by: Cong Wang <[email protected]> --- net/qrtr/tun.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c index 15ce9b642b25..54a565dcfef3 100644 --- a/net/qrtr/tun.c +++ b/net/qrtr/tun.c @@ -20,6 +20,7 @@ static int qrtr_tun_send(struct qrtr_endpoint *ep, struct sk_buff *skb) { struct qrtr_tun *tun = container_of(ep, struct qrtr_tun, ep); + skb_orphan(skb); skb_queue_tail(&tun->queue, skb); /* wake up any blocking processes, waiting for new data */ -- 2.27.0
