diff options
author | Sabrina Dubroca <sd@queasysnail.net> | 2016-07-29 15:37:53 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2016-07-30 21:11:08 -0700 |
commit | c78ebe1df01f4ef3fb07be1359bc34df6708d99c (patch) | |
tree | be33ee0b1d42e22cb638a1941abf6f2c8d2c694e /drivers/net/macsec.c | |
parent | 122e9b71273f9d99ed90d51709674bc69c175fa0 (diff) | |
download | op-kernel-dev-c78ebe1df01f4ef3fb07be1359bc34df6708d99c.zip op-kernel-dev-c78ebe1df01f4ef3fb07be1359bc34df6708d99c.tar.gz |
macsec: fix reference counting on RXSC in macsec_handle_frame
Currently, we lookup the RXSC without taking a reference on it. The
RXSA holds a reference on the RXSC, but the SA and SC could still both
disappear before we take a reference on the SA.
Take a reference on the RXSC in macsec_handle_frame.
Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/macsec.c')
-rw-r--r-- | drivers/net/macsec.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c index 2d0beb1..718cf98 100644 --- a/drivers/net/macsec.c +++ b/drivers/net/macsec.c @@ -863,6 +863,7 @@ static void macsec_decrypt_done(struct crypto_async_request *base, int err) struct net_device *dev = skb->dev; struct macsec_dev *macsec = macsec_priv(dev); struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa; + struct macsec_rx_sc *rx_sc = rx_sa->sc; int len, ret; u32 pn; @@ -891,6 +892,7 @@ static void macsec_decrypt_done(struct crypto_async_request *base, int err) out: macsec_rxsa_put(rx_sa); + macsec_rxsc_put(rx_sc); dev_put(dev); } @@ -1106,6 +1108,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) list_for_each_entry_rcu(macsec, &rxd->secys, secys) { struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci); + sc = sc ? macsec_rxsc_get(sc) : NULL; if (sc) { secy = &macsec->secy; @@ -1180,8 +1183,10 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) if (IS_ERR(skb)) { /* the decrypt callback needs the reference */ - if (PTR_ERR(skb) != -EINPROGRESS) + if (PTR_ERR(skb) != -EINPROGRESS) { macsec_rxsa_put(rx_sa); + macsec_rxsc_put(rx_sc); + } rcu_read_unlock(); *pskb = NULL; return RX_HANDLER_CONSUMED; @@ -1197,6 +1202,7 @@ deliver: if (rx_sa) macsec_rxsa_put(rx_sa); + macsec_rxsc_put(rx_sc); ret = gro_cells_receive(&macsec->gro_cells, skb); if (ret == NET_RX_SUCCESS) @@ -1212,6 +1218,7 @@ deliver: drop: macsec_rxsa_put(rx_sa); drop_nosa: + macsec_rxsc_put(rx_sc); rcu_read_unlock(); drop_direct: kfree_skb(skb); |