diff options
author | Eric Dumazet <edumazet@google.com> | 2015-01-21 12:45:42 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2015-01-26 09:44:08 +0100 |
commit | 1dc7b90f7cd050ef6d5e511e652347e52874469c (patch) | |
tree | 5362ed5e14526d303ba83fc1f596f69fb63933ba /net/ipv6/ipv6_sockglue.c | |
parent | rhashtable: fix rht_for_each_entry_safe() endless loop (diff) | |
download | linux-1dc7b90f7cd050ef6d5e511e652347e52874469c.tar.xz linux-1dc7b90f7cd050ef6d5e511e652347e52874469c.zip |
ipv6: tcp: fix race in IPV6_2292PKTOPTIONS
IPv6 TCP sockets store in np->pktoptions skbs, and use skb_set_owner_r()
to charge the skb to socket.
It means that destructor must be called while socket is locked.
Therefore, we cannot use skb_get() or atomic_inc(&skb->users)
to protect ourselves : kfree_skb() might race with other users
manipulating sk->sk_forward_alloc
Fix this race by holding socket lock for the duration of
ip6_datagram_recv_ctl()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/ipv6_sockglue.c')
-rw-r--r-- | net/ipv6/ipv6_sockglue.c | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index 66980d8d98d1..8d766d9100cb 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -996,13 +996,9 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname, lock_sock(sk); skb = np->pktoptions; if (skb) - atomic_inc(&skb->users); - release_sock(sk); - - if (skb) { ip6_datagram_recv_ctl(sk, &msg, skb); - kfree_skb(skb); - } else { + release_sock(sk); + if (!skb) { if (np->rxopt.bits.rxinfo) { struct in6_pktinfo src_info; src_info.ipi6_ifindex = np->mcast_oif ? np->mcast_oif : |