inet: frags: change inet_frag_kill() to defer refcount updates

In the following patch, we no longer assume inet_frag_kill() callers own a reference. Consuming two refcounts from inet_frag_kill() would lead in UAF. Propagate the pointer to the refs that will be consumed later by the final inet_frag_putn() call. Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20250312082250.1803501-4-edumazet@google.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
author: Eric Dumazet <edumazet@google.com> 2025-03-12 08:22:49 +0000
committer: Paolo Abeni <pabeni@redhat.com> 2025-03-18 13:18:36 +0100
commit: eb0dfc0ef195a04e519b15d73cf25d8c25ee8df7 (patch)
tree: 48152b079fdd9b88da44c66019531b708507b943 /include/net/ipv6_frag.h
parent: a2fb987c0ecf0498cc17056339cb11d128c46ab7 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h
index 9d968d7d9fa4..38ef66826939 100644
--- a/include/net/ipv6_frag.h
+++ b/include/net/ipv6_frag.h
@@ -78,7 +78,7 @@ ip6frag_expire_frag_queue(struct net *net, struct frag_queue *fq)
 		goto out;
 
 	fq->q.flags |= INET_FRAG_DROP;
-	inet_frag_kill(&fq->q);
+	inet_frag_kill(&fq->q, &refs);
 
 	dev = dev_get_by_index_rcu(net, fq->iif);
 	if (!dev)
author	Eric Dumazet <edumazet@google.com>	2025-03-12 08:22:49 +0000
committer	Paolo Abeni <pabeni@redhat.com>	2025-03-18 13:18:36 +0100
commit	eb0dfc0ef195a04e519b15d73cf25d8c25ee8df7 (patch)
tree	48152b079fdd9b88da44c66019531b708507b943 /include/net/ipv6_frag.h
parent	a2fb987c0ecf0498cc17056339cb11d128c46ab7 (diff)