mirror of
https://github.com/torvalds/linux.git
synced 2025-11-04 02:30:34 +02:00
macsec: fix reference counting on RXSC in macsec_handle_frame
Currently, we lookup the RXSC without taking a reference on it. The
RXSA holds a reference on the RXSC, but the SA and SC could still both
disappear before we take a reference on the SA.
Take a reference on the RXSC in macsec_handle_frame.
Fixes: c09440f7dc ("macsec: introduce IEEE 802.1AE driver")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Sabrina Dubroca
David S. Miller
parent
122e9b7127
commit
c78ebe1df0
1 changed files with 8 additions and 1 deletions
|
|
@ -863,6 +863,7 @@ static void macsec_decrypt_done(struct crypto_async_request *base, int err)
|
||||||
struct net_device *dev = skb->dev;
|
struct net_device *dev = skb->dev;
|
||||||
struct macsec_dev *macsec = macsec_priv(dev);
|
struct macsec_dev *macsec = macsec_priv(dev);
|
||||||
struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
|
struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
|
||||||
|
struct macsec_rx_sc *rx_sc = rx_sa->sc;
|
||||||
int len, ret;
|
int len, ret;
|
||||||
u32 pn;
|
u32 pn;
|
||||||
|
|
||||||
|
|
@ -891,6 +892,7 @@ static void macsec_decrypt_done(struct crypto_async_request *base, int err)
|
||||||
|
|
||||||
out:
|
out:
|
||||||
macsec_rxsa_put(rx_sa);
|
macsec_rxsa_put(rx_sa);
|
||||||
|
macsec_rxsc_put(rx_sc);
|
||||||
dev_put(dev);
|
dev_put(dev);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1106,6 +1108,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
|
||||||
|
|
||||||
list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
|
list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
|
||||||
struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci);
|
struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci);
|
||||||
|
sc = sc ? macsec_rxsc_get(sc) : NULL;
|
||||||
|
|
||||||
if (sc) {
|
if (sc) {
|
||||||
secy = &macsec->secy;
|
secy = &macsec->secy;
|
||||||
|
|
@ -1180,8 +1183,10 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
|
||||||
|
|
||||||
if (IS_ERR(skb)) {
|
if (IS_ERR(skb)) {
|
||||||
/* the decrypt callback needs the reference */
|
/* the decrypt callback needs the reference */
|
||||||
if (PTR_ERR(skb) != -EINPROGRESS)
|
if (PTR_ERR(skb) != -EINPROGRESS) {
|
||||||
macsec_rxsa_put(rx_sa);
|
macsec_rxsa_put(rx_sa);
|
||||||
|
macsec_rxsc_put(rx_sc);
|
||||||
|
}
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
*pskb = NULL;
|
*pskb = NULL;
|
||||||
return RX_HANDLER_CONSUMED;
|
return RX_HANDLER_CONSUMED;
|
||||||
|
|
@ -1197,6 +1202,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
|
||||||
|
|
||||||
if (rx_sa)
|
if (rx_sa)
|
||||||
macsec_rxsa_put(rx_sa);
|
macsec_rxsa_put(rx_sa);
|
||||||
|
macsec_rxsc_put(rx_sc);
|
||||||
|
|
||||||
ret = gro_cells_receive(&macsec->gro_cells, skb);
|
ret = gro_cells_receive(&macsec->gro_cells, skb);
|
||||||
if (ret == NET_RX_SUCCESS)
|
if (ret == NET_RX_SUCCESS)
|
||||||
|
|
@ -1212,6 +1218,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
|
||||||
drop:
|
drop:
|
||||||
macsec_rxsa_put(rx_sa);
|
macsec_rxsa_put(rx_sa);
|
||||||
drop_nosa:
|
drop_nosa:
|
||||||
|
macsec_rxsc_put(rx_sc);
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
drop_direct:
|
drop_direct:
|
||||||
kfree_skb(skb);
|
kfree_skb(skb);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue