Commit b901a4e2 authored by Dmitry Safonov's avatar Dmitry Safonov Committed by David S. Miller
Browse files

net/tcp_sigpool: Use kref_get_unless_zero() 



The freeing and re-allocation of algorithm are protected by cpool_mutex,
so it doesn't fix an actual use-after-free, but avoids a deserved
refcount_warn_saturate() warning.

A trivial fix for the racy behavior.

Fixes: 8c73b263 ("net/tcp: Prepare tcp_md5sig_pool for TCP-AO")
Suggested-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
Tested-by: default avatarBagas Sanjaya <bagasdotme@gmail.com>
Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 8fcb0382

net/ipv4/tcp_sigpool.c

+2 −3
Original line number Diff line number Diff line
@@ -162,9 +162,8 @@ int tcp_sigpool_alloc_ahash(const char *alg, size_t scratch_size) 
		if (strcmp(cpool[i].alg, alg))

			continue;



		if (kref_read(&cpool[i].kref) > 0)

			kref_get(&cpool[i].kref);

		else

		/* pairs with tcp_sigpool_release() */

		if (!kref_get_unless_zero(&cpool[i].kref))

			kref_init(&cpool[i].kref);

		ret = i;

		goto out;