git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Eric Dumazet <edumazet@google.com>
	Tue, 5 May 2026 15:39:27 +0000 (15:39 +0000)
committer	Jakub Kicinski <kuba@kernel.org>
	Thu, 7 May 2026 01:11:33 +0000 (18:11 -0700)
commit	c8f7244c8cccaaed4e6c9fe4b8a07e101d0423e5
tree	410de56141b25893ef9a03f0c23982d512c9eabd	tree \| snapshot
parent	770b136ff9bf3e319d19875da59c4f7f4853da3a	commit \| diff

tcp: tcp_child_process() related UAF

tcp_child_process( .. child ...) currently calls sock_put(child).

Unfortunately @child (named @nsk in callers) can be used after
this point to send a RST packet.

To fix this UAF, I remove the sock_put() from tcp_child_process()
and let the callers handle this after it is safe.

Remove @rsk variable in tcp_v4_do_rcv() and change tcp_v6_do_rcv()
so that both functions look the same.

Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260505153927.3435532-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

net/ipv4/tcp_ipv4.c		diff \| blob \| blame \| history
net/ipv4/tcp_minisocks.c		diff \| blob \| blame \| history
net/ipv6/tcp_ipv6.c		diff \| blob \| blame \| history