mirror of
https://git.proxmox.com/git/mirror_ubuntu-kernels.git
synced 2025-11-24 23:44:13 +00:00
1ade48d0c2
The existing cleanup routine implementation is not well synchronized
with the syscall routine. When a device is detaching, below race could
occur.
static int ax25_sendmsg(...) {
...
lock_sock()
ax25 = sk_to_ax25(sk);
if (ax25->ax25_dev == NULL) // CHECK
...
ax25_queue_xmit(skb, ax25->ax25_dev->dev); // USE
...
}
static void ax25_kill_by_device(...) {
...
if (s->ax25_dev == ax25_dev) {
s->ax25_dev = NULL;
...
}
Other syscall functions like ax25_getsockopt, ax25_getname,
ax25_info_show also suffer from similar races. To fix them, this patch
introduce lock_sock() into ax25_kill_by_device in order to guarantee
that the nullify action in cleanup routine cannot proceed when another
socket request is pending.
Signed-off-by: Hanjie Wu <nagi@zju.edu.cn>
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
|---|---|---|
| .. | ||
| af_ax25.c | ||
| ax25_addr.c | ||
| ax25_dev.c | ||
| ax25_ds_in.c | ||
| ax25_ds_subr.c | ||
| ax25_ds_timer.c | ||
| ax25_iface.c | ||
| ax25_in.c | ||
| ax25_ip.c | ||
| ax25_out.c | ||
| ax25_route.c | ||
| ax25_std_in.c | ||
| ax25_std_subr.c | ||
| ax25_std_timer.c | ||
| ax25_subr.c | ||
| ax25_timer.c | ||
| ax25_uid.c | ||
| Kconfig | ||
| Makefile | ||
| sysctl_net_ax25.c | ||