diff options
| author | Jakub Kicinski <kuba@kernel.org> | 2026-06-12 01:14:04 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-06-12 01:14:05 +0300 |
| commit | c33da0eeca927add8045e16015ace1ec66a297a5 (patch) | |
| tree | 68e9ded362f704151cbdb8eb43b68cfb78a7eff8 /include | |
| parent | f294fc71c4a0fa4964f6428a1b4e7929c1d83125 (diff) | |
| parent | 2821e85c058f81c9948a2fb1a634f7b47457d51c (diff) | |
| download | linux-c33da0eeca927add8045e16015ace1ec66a297a5.tar.xz | |
Merge branch 'net-fib-fix-two-use-after-free-in-drivers-during-rcu-dump'
Kuniyuki Iwashima says:
====================
net: fib: Fix two use-after-free in drivers during RCU dump.
syzbot reported fib_info UAF in netdevsim, and the same bug
exists in rocker and mlxsw.
Patch 1 fixes it, and Patch 2 fixes the same type of bug of
fib_rule.
====================
Link: https://patch.msgid.link/20260610061744.2030996-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/net/fib_rules.h | 5 | ||||
| -rw-r--r-- | include/net/ip_fib.h | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h index 6e68e359ad18..7dee0ae616e3 100644 --- a/include/net/fib_rules.h +++ b/include/net/fib_rules.h @@ -111,6 +111,11 @@ static inline void fib_rule_get(struct fib_rule *rule) refcount_inc(&rule->refcnt); } +static inline bool fib_rule_get_safe(struct fib_rule *rule) +{ + return refcount_inc_not_zero(&rule->refcnt); +} + static inline void fib_rule_put(struct fib_rule *rule) { if (refcount_dec_and_test(&rule->refcnt)) diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h index 318593743b6e..541da2dde626 100644 --- a/include/net/ip_fib.h +++ b/include/net/ip_fib.h @@ -629,6 +629,11 @@ static inline void fib_info_hold(struct fib_info *fi) refcount_inc(&fi->fib_clntref); } +static inline bool fib_info_hold_safe(struct fib_info *fi) +{ + return refcount_inc_not_zero(&fi->fib_clntref); +} + static inline void fib_info_put(struct fib_info *fi) { if (refcount_dec_and_test(&fi->fib_clntref)) |
