tipc: fix race between poll() and setsockopt() - linux

diff options

author	Jon Maloy <jon.maloy@ericsson.com>	2018-01-17 16:42:46 +0100
committer	David S. Miller <davem@davemloft.net>	2018-01-19 21:12:21 +0100
commit	60c2530696320ee6ffe4491c17079fa403790c98 (patch)
tree	619bdaecd86e48c1962a6866e40ada7e09c5addc /usr
parent	l2tp: remove switch block in l2tp_nl_cmd_session_create() (diff)
download	linux-60c2530696320ee6ffe4491c17079fa403790c98.tar.xz linux-60c2530696320ee6ffe4491c17079fa403790c98.zip

tipc: fix race between poll() and setsockopt()

Letting tipc_poll() dereference a socket's pointer to struct tipc_group entails a race risk, as the group item may be deleted in a concurrent tipc_sk_join() or tipc_sk_leave() thread. We now move the 'open' flag in struct tipc_group to struct tipc_sock, and let the former retain only a pointer to the moved field. This will eliminate the race risk. Reported-by: syzbot+799dafde0286795858ac@syzkaller.appspotmail.com Signed-off-by: Jon Maloy <jon.maloy@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to 'usr')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: