diff options
| author | Eric Dumazet <edumazet@google.com> | 2025-03-12 08:22:49 +0000 |
|---|---|---|
| committer | Paolo Abeni <pabeni@redhat.com> | 2025-03-18 13:18:36 +0100 |
| commit | eb0dfc0ef195a04e519b15d73cf25d8c25ee8df7 (patch) | |
| tree | 48152b079fdd9b88da44c66019531b708507b943 /include | |
| parent | ipv4: frags: remove ipq_put() (diff) | |
| download | linux-eb0dfc0ef195a04e519b15d73cf25d8c25ee8df7.tar.gz linux-eb0dfc0ef195a04e519b15d73cf25d8c25ee8df7.zip | |
inet: frags: change inet_frag_kill() to defer refcount updates
In the following patch, we no longer assume inet_frag_kill()
callers own a reference.
Consuming two refcounts from inet_frag_kill() would lead in UAF.
Propagate the pointer to the refs that will be consumed later
by the final inet_frag_putn() call.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250312082250.1803501-4-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/net/inet_frag.h | 2 | ||||
| -rw-r--r-- | include/net/ipv6_frag.h | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/include/net/inet_frag.h b/include/net/inet_frag.h index 26687ad0b141..0eccd9c3a883 100644 --- a/include/net/inet_frag.h +++ b/include/net/inet_frag.h @@ -137,7 +137,7 @@ static inline void fqdir_pre_exit(struct fqdir *fqdir) } void fqdir_exit(struct fqdir *fqdir); -void inet_frag_kill(struct inet_frag_queue *q); +void inet_frag_kill(struct inet_frag_queue *q, int *refs); void inet_frag_destroy(struct inet_frag_queue *q); struct inet_frag_queue *inet_frag_find(struct fqdir *fqdir, void *key); diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h index 9d968d7d9fa4..38ef66826939 100644 --- a/include/net/ipv6_frag.h +++ b/include/net/ipv6_frag.h @@ -78,7 +78,7 @@ ip6frag_expire_frag_queue(struct net *net, struct frag_queue *fq) goto out; fq->q.flags |= INET_FRAG_DROP; - inet_frag_kill(&fq->q); + inet_frag_kill(&fq->q, &refs); dev = dev_get_by_index_rcu(net, fq->iif); if (!dev) |