pppoatm: drop frames to not-ready vcc

The vcc_destroy_socket() closes vcc before the protocol is detached
from vcc by calling vcc->push() with NULL skb. This leaves some time
window, where the protocol may call vcc->send() on closed vcc
and crash.

Now pppoatm_send(), like vcc_sendmsg(), checks for vcc flags that
indicate that vcc is not ready. If the vcc is not ready we just
drop frame. Queueing frames is much more complicated because we
don't have callbacks that inform us about vcc flags changes.

Signed-off-by: Krzysztof Mazur <krzysiek@podlesie.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

1 files changed, 7 insertions, 0 deletions

diff --git a/net/atm/pppoatm.c b/net/atm/pppoatm.c
index c4a57bca77bf..aeb726cffc8c 100644
--- a/net/atm/pppoatm.c
+++ b/net/atm/pppoatm.c
@@ -284,6 +284,13 @@ static int pppoatm_send(struct ppp_channel *chan, struct sk_buff *skb)
         bh_lock_sock(sk_atm(vcc));
         if (sock_owned_by_user(sk_atm(vcc)))
                 goto nospace;
+        if (test_bit(ATM_VF_RELEASED, &vcc->flags) ||
+            test_bit(ATM_VF_CLOSE, &vcc->flags) ||
+            !test_bit(ATM_VF_READY, &vcc->flags)) {
+                bh_unlock_sock(sk_atm(vcc));
+                kfree_skb(skb);
+                return DROP_PACKET;
+        }
 
         switch (pvcc->encaps) {         /* LLC encapsulation needed */
         case e_llc: