summaryrefslogtreecommitdiff
path: root/net/ipv6/ip6_input.c
diff options
context:
space:
mode:
authorRobert Shearman <rshearma@brocade.com>2015-06-05 18:51:54 +0100
committerDavid S. Miller <davem@davemloft.net>2015-06-08 12:12:45 -0700
commit27e41fcfa6b326ad44eee7e0b1930d080b270895 (patch)
tree58b71aa33019e31628c0bcdbf557634e1603cb04 /net/ipv6/ip6_input.c
parent1489bdeeae1a47171926e255956c9fc251db13a0 (diff)
ipv6: fix possible use after free of dev stats
The memory pointed to by idev->stats.icmpv6msgdev, idev->stats.icmpv6dev and idev->stats.ipv6 can each be used in an RCU read context without taking a reference on idev. For example, through IP6_*_STATS_* calls in ip6_rcv. These memory blocks are freed without waiting for an RCU grace period to elapse. This could lead to the memory being written to after it has been freed. Fix this by using call_rcu to free the memory used for stats, as well as idev after an RCU grace period has elapsed. Signed-off-by: Robert Shearman <rshearma@brocade.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/ip6_input.c')
0 files changed, 0 insertions, 0 deletions