tcp: Fix use-after-free of nreq in reqsk_timer_handler(). - kernel

diff options

author	Kuniyuki Iwashima <[email protected]>	2024-11-23 17:42:36 +0000
committer	Paolo Abeni <[email protected]>	2024-11-28 08:48:00 +0000
commit	c31e72d021db2714df03df6c42855a1db592716c (patch)
tree	cbe71525f6fe8559b6936130c3e3496f915dfeec /drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
parent	net: phy: fix phy_ethtool_set_eee() incorrectly enabling LPI (diff)
download	kernel-c31e72d021db2714df03df6c42855a1db592716c.tar.gz kernel-c31e72d021db2714df03df6c42855a1db592716c.zip

tcp: Fix use-after-free of nreq in reqsk_timer_handler().

The cited commit replaced inet_csk_reqsk_queue_drop_and_put() with __inet_csk_reqsk_queue_drop() and reqsk_put() in reqsk_timer_handler(). Then, oreq should be passed to reqsk_put() instead of req; otherwise use-after-free of nreq could happen when reqsk is migrated but the retry attempt failed (e.g. due to timeout). Let's pass oreq to reqsk_put(). Fixes: e8c526f2bdf1 ("tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().") Reported-by: Liu Jian <[email protected]> Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Kuniyuki Iwashima <[email protected]> Reviewed-by: Vadim Fedorenko <[email protected]> Reviewed-by: Liu Jian <[email protected]> Reviewed-by: Eric Dumazet <[email protected]> Reviewed-by: Martin KaFai Lau <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Paolo Abeni <[email protected]>

Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: