Commit c78ebe1d authored by Sabrina Dubroca's avatar Sabrina Dubroca Committed by David S. Miller

macsec: fix reference counting on RXSC in macsec_handle_frame

Currently, we lookup the RXSC without taking a reference on it.  The
RXSA holds a reference on the RXSC, but the SA and SC could still both
disappear before we take a reference on the SA.

Take a reference on the RXSC in macsec_handle_frame.

Fixes: c09440f7 ("macsec: introduce IEEE 802.1AE driver")
Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 122e9b71
...@@ -863,6 +863,7 @@ static void macsec_decrypt_done(struct crypto_async_request *base, int err) ...@@ -863,6 +863,7 @@ static void macsec_decrypt_done(struct crypto_async_request *base, int err)
struct net_device *dev = skb->dev; struct net_device *dev = skb->dev;
struct macsec_dev *macsec = macsec_priv(dev); struct macsec_dev *macsec = macsec_priv(dev);
struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa; struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
struct macsec_rx_sc *rx_sc = rx_sa->sc;
int len, ret; int len, ret;
u32 pn; u32 pn;
...@@ -891,6 +892,7 @@ static void macsec_decrypt_done(struct crypto_async_request *base, int err) ...@@ -891,6 +892,7 @@ static void macsec_decrypt_done(struct crypto_async_request *base, int err)
out: out:
macsec_rxsa_put(rx_sa); macsec_rxsa_put(rx_sa);
macsec_rxsc_put(rx_sc);
dev_put(dev); dev_put(dev);
} }
...@@ -1106,6 +1108,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) ...@@ -1106,6 +1108,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
list_for_each_entry_rcu(macsec, &rxd->secys, secys) { list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci); struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci);
sc = sc ? macsec_rxsc_get(sc) : NULL;
if (sc) { if (sc) {
secy = &macsec->secy; secy = &macsec->secy;
...@@ -1180,8 +1183,10 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) ...@@ -1180,8 +1183,10 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
if (IS_ERR(skb)) { if (IS_ERR(skb)) {
/* the decrypt callback needs the reference */ /* the decrypt callback needs the reference */
if (PTR_ERR(skb) != -EINPROGRESS) if (PTR_ERR(skb) != -EINPROGRESS) {
macsec_rxsa_put(rx_sa); macsec_rxsa_put(rx_sa);
macsec_rxsc_put(rx_sc);
}
rcu_read_unlock(); rcu_read_unlock();
*pskb = NULL; *pskb = NULL;
return RX_HANDLER_CONSUMED; return RX_HANDLER_CONSUMED;
...@@ -1197,6 +1202,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) ...@@ -1197,6 +1202,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
if (rx_sa) if (rx_sa)
macsec_rxsa_put(rx_sa); macsec_rxsa_put(rx_sa);
macsec_rxsc_put(rx_sc);
ret = gro_cells_receive(&macsec->gro_cells, skb); ret = gro_cells_receive(&macsec->gro_cells, skb);
if (ret == NET_RX_SUCCESS) if (ret == NET_RX_SUCCESS)
...@@ -1212,6 +1218,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) ...@@ -1212,6 +1218,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
drop: drop:
macsec_rxsa_put(rx_sa); macsec_rxsa_put(rx_sa);
drop_nosa: drop_nosa:
macsec_rxsc_put(rx_sc);
rcu_read_unlock(); rcu_read_unlock();
drop_direct: drop_direct:
kfree_skb(skb); kfree_skb(skb);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment