diff options
| author | Kuniyuki Iwashima <[email protected]> | 2024-11-23 09:42:36 -0800 |
|---|---|---|
| committer | Paolo Abeni <[email protected]> | 2024-11-28 09:48:00 +0100 |
| commit | c31e72d021db2714df03df6c42855a1db592716c (patch) | |
| tree | cbe71525f6fe8559b6936130c3e3496f915dfeec /drivers/fpga/fpga-mgr.c | |
| parent | e2668c34b7e1a2288ea0a97ccf3cd12e2870ca18 (diff) | |
tcp: Fix use-after-free of nreq in reqsk_timer_handler().
The cited commit replaced inet_csk_reqsk_queue_drop_and_put() with
__inet_csk_reqsk_queue_drop() and reqsk_put() in reqsk_timer_handler().
Then, oreq should be passed to reqsk_put() instead of req; otherwise
use-after-free of nreq could happen when reqsk is migrated but the
retry attempt failed (e.g. due to timeout).
Let's pass oreq to reqsk_put().
Fixes: e8c526f2bdf1 ("tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().")
Reported-by: Liu Jian <[email protected]>
Closes: https://lore.kernel.org/netdev/[email protected]/
Signed-off-by: Kuniyuki Iwashima <[email protected]>
Reviewed-by: Vadim Fedorenko <[email protected]>
Reviewed-by: Liu Jian <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Reviewed-by: Martin KaFai Lau <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Paolo Abeni <[email protected]>
Diffstat (limited to 'drivers/fpga/fpga-mgr.c')
0 files changed, 0 insertions, 0 deletions