Message ID | 20200819152410.1152049-1-alaa@mellanox.com |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [net] net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow | expand |
From: Alaa Hleihel <alaa@mellanox.com> Date: Wed, 19 Aug 2020 18:24:10 +0300 > tcf_ct_handle_fragments() shouldn't free the skb when ip_defrag() call > fails. Otherwise, we will cause a double-free bug. > In such cases, just return the error to the caller. > > Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") > Signed-off-by: Alaa Hleihel <alaa@mellanox.com> > Reviewed-by: Roi Dayan <roid@mellanox.com> Applied and queued up for -stable, thank you.
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index e6ad42b11835..2c3619165680 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -704,7 +704,7 @@ static int tcf_ct_handle_fragments(struct net *net, struct sk_buff *skb, err = ip_defrag(net, skb, user); local_bh_enable(); if (err && err != -EINPROGRESS) - goto out_free; + return err; if (!err) { *defrag = true;