github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-27 00:22:00 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

Merge branch 'tcp-two-fixes-for-socket-migration-in-reqsk_timer_handler'

Browse Source 
Kuniyuki Iwashima says:

====================
tcp: Two fixes for socket migration in reqsk_timer_handler().

The series fixes two bugs in the error path of socket migration
in reqsk_timer_handler().

Patch 1 fixes a potential UAF in reqsk_timer_handler().

Patch 2 fixes imbalanced icsk_accept_queue count.
====================

Link: https://patch.msgid.link/20260506035954.1563147-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski 2026-05-08 14:54:55 -07:00
commit 4378bf6124
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
net/ipv4/inet_connection_sock.c
View File

@ -1108,7 +1108,7 @@ static void reqsk_timer_handler(struct timer_list *t)
if (!inet_ehash_insert(req_to_sk(nreq), req_to_sk(oreq), NULL)) {
/* delete timer */
__inet_csk_reqsk_queue_drop(sk_listener, nreq, true);
__inet_csk_reqsk_queue_drop(sk_listener, nreq, false);
goto no_ownership;
}
@ -1134,7 +1134,7 @@ static void reqsk_timer_handler(struct timer_list *t)
}
drop:
__inet_csk_reqsk_queue_drop(sk_listener, oreq, true);
__inet_csk_reqsk_queue_drop(oreq->rsk_listener, oreq, true);
reqsk_put(oreq);
}