]> www.infradead.org Git - users/jedix/linux-maple.git/commit
projects / users / jedix / linux-maple.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: a2fb987) | patch
inet: frags: change inet_frag_kill() to defer refcount updates
authorEric Dumazet <edumazet@google.com>
Wed, 12 Mar 2025 08:22:49 +0000 (08:22 +0000)
committerPaolo Abeni <pabeni@redhat.com>
Tue, 18 Mar 2025 12:18:36 +0000 (13:18 +0100)
commiteb0dfc0ef195a04e519b15d73cf25d8c25ee8df7
tree48152b079fdd9b88da44c66019531b708507b943tree
parenta2fb987c0ecf0498cc17056339cb11d128c46ab7commit | diff
inet: frags: change inet_frag_kill() to defer refcount updates

In the following patch, we no longer assume inet_frag_kill()
callers own a reference.

Consuming two refcounts from inet_frag_kill() would lead in UAF.

Propagate the pointer to the refs that will be consumed later
by the final inet_frag_putn() call.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250312082250.1803501-4-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
include/net/inet_frag.h diff | blob | history
include/net/ipv6_frag.h diff | blob | history
net/ieee802154/6lowpan/reassembly.c diff | blob | history
net/ipv4/inet_fragment.c diff | blob | history
net/ipv4/ip_fragment.c diff | blob | history
net/ipv6/netfilter/nf_conntrack_reasm.c diff | blob | history
net/ipv6/reassembly.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.