ax25: NPD bug when detaching AX25 device
The existing cleanup routine implementation is not well synchronized with the syscall routine. When a device is detaching, below race could occur. static int ax25_sendmsg(...) { ... lock_sock() ax25 = sk_to_ax25(sk); if (ax25->ax25_dev == NULL) // CHECK ... ax25_queue_xmit(skb, ax25->ax25_dev->dev); // USE ... } static void ax25_kill_by_device(...) { ... if (s->ax25_dev == ax25_dev) { s->ax25_dev = NULL; ... } Other syscall functions like ax25_getsockopt, ax25_getname, ax25_info_show also suffer from similar races. To fix them, this patch introduce lock_sock() into ax25_kill_by_device in order to guarantee that the nullify action in cleanup routine cannot proceed when another socket request is pending. Signed-off-by:Hanjie Wu <nagi@zju.edu.cn> Signed-off-by:
Lin Ma <linma@zju.edu.cn> Signed-off-by:
David S. Miller <davem@davemloft.net>
parent
b2f37aea
-
mentioned in commit 0cccaf8b
-
mentioned in commit bd05a8f1
-
mentioned in commit 3d3d6f7a
-
mentioned in commit bc284281
-
mentioned in commit 8e34d07d
-
mentioned in commit a8e4a64c
-
mentioned in commit df8f79bc
-
mentioned in commit a509dbde
-
mentioned in commit 3072e728
-
mentioned in commit 851901d3
-
mentioned in commit b9a229fd
-
mentioned in commit cfc8b37e
Please register or sign in to comment