net/tcp_sigpool: Use kref_get_unless_zero()

The freeing and re-allocation of algorithm are protected by cpool_mutex, so it doesn't fix an actual use-after-free, but avoids a deserved refcount_warn_saturate() warning. A trivial fix for the racy behavior. Fixes: 8c73b26315aa ("net/tcp: Prepare tcp_md5sig_pool for TCP-AO") Suggested-by: Eric Dumazet <[email protected]> Signed-off-by: Dmitry Safonov <[email protected]> Tested-by: Bagas Sanjaya <[email protected]> Reported-by: syzbot <[email protected]> Reviewed-by: Eric Dumazet <[email protected]> Signed-off-by: David S. Miller <[email protected]>
author: Dmitry Safonov <[email protected]> 2023-12-22 01:13:59 +0000
committer: David S. Miller <[email protected]> 2024-01-01 14:42:05 +0000
commit: b901a4e276943f61e11ddb597a0abc1e7dfadf0f (patch)
tree: 16373ff28e2e7a910f579d8559099acf9b82944f
parent: 8fcb0382af6f1ef50936f1be05b8149eb2f88496 (diff)
1 files changed, 2 insertions, 3 deletions
diff --git a/net/ipv4/tcp_sigpool.c b/net/ipv4/tcp_sigpool.c
index 55b310a722c7..8512cb09ebc0 100644
--- a/net/ipv4/tcp_sigpool.c
+++ b/net/ipv4/tcp_sigpool.c
@@ -162,9 +162,8 @@ int tcp_sigpool_alloc_ahash(const char *alg, size_t scratch_size)
 		if (strcmp(cpool[i].alg, alg))
 			continue;
 
-		if (kref_read(&cpool[i].kref) > 0)
-			kref_get(&cpool[i].kref);
-		else
+		/* pairs with tcp_sigpool_release() */
+		if (!kref_get_unless_zero(&cpool[i].kref))
 			kref_init(&cpool[i].kref);
 		ret = i;
 		goto out;
author	Dmitry Safonov <[email protected]>	2023-12-22 01:13:59 +0000
committer	David S. Miller <[email protected]>	2024-01-01 14:42:05 +0000
commit	b901a4e276943f61e11ddb597a0abc1e7dfadf0f (patch)
tree	16373ff28e2e7a910f579d8559099acf9b82944f
parent	8fcb0382af6f1ef50936f1be05b8149eb2f88496 (diff)