macsec: fix reference counting on RXSC in macsec_handle_frame
Currently, we lookup the RXSC without taking a reference on it. The
RXSA holds a reference on the RXSC, but the SA and SC could still both
disappear before we take a reference on the SA.
Take a reference on the RXSC in macsec_handle_frame.
Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
Signed-off-by: Sabrina Dubroca <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 2d0beb1..718cf98 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -863,6 +863,7 @@
struct net_device *dev = skb->dev;
struct macsec_dev *macsec = macsec_priv(dev);
struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
+ struct macsec_rx_sc *rx_sc = rx_sa->sc;
int len, ret;
u32 pn;
@@ -891,6 +892,7 @@
out:
macsec_rxsa_put(rx_sa);
+ macsec_rxsc_put(rx_sc);
dev_put(dev);
}
@@ -1106,6 +1108,7 @@
list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci);
+ sc = sc ? macsec_rxsc_get(sc) : NULL;
if (sc) {
secy = &macsec->secy;
@@ -1180,8 +1183,10 @@
if (IS_ERR(skb)) {
/* the decrypt callback needs the reference */
- if (PTR_ERR(skb) != -EINPROGRESS)
+ if (PTR_ERR(skb) != -EINPROGRESS) {
macsec_rxsa_put(rx_sa);
+ macsec_rxsc_put(rx_sc);
+ }
rcu_read_unlock();
*pskb = NULL;
return RX_HANDLER_CONSUMED;
@@ -1197,6 +1202,7 @@
if (rx_sa)
macsec_rxsa_put(rx_sa);
+ macsec_rxsc_put(rx_sc);
ret = gro_cells_receive(&macsec->gro_cells, skb);
if (ret == NET_RX_SUCCESS)
@@ -1212,6 +1218,7 @@
drop:
macsec_rxsa_put(rx_sa);
drop_nosa:
+ macsec_rxsc_put(rx_sc);
rcu_read_unlock();
drop_direct:
kfree_skb(skb);
