diff options
| author | Marek Lindner <lindner_marek@yahoo.de> | 2011-04-20 09:40:58 -0400 |
|---|---|---|
| committer | Sven Eckelmann <sven@narfation.org> | 2011-05-01 16:49:03 -0400 |
| commit | 32ae9b221e788413ce68feaae2ca39e406211a0a (patch) | |
| tree | d827f989976a28fea5cdcb349c308baa98182c35 /net/batman-adv/icmp_socket.c | |
| parent | 71e4aa9c465fd66c110667ab5d620fb6a4ef2157 (diff) | |
batman-adv: Make bat_priv->primary_if an rcu protected pointer
The rcu protected macros rcu_dereference() and rcu_assign_pointer()
for the bat_priv->primary_if need to be used, as well as spin/rcu locking.
Otherwise we might end up using a primary_if pointer pointing to already
freed memory.
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Diffstat (limited to 'net/batman-adv/icmp_socket.c')
| -rw-r--r-- | net/batman-adv/icmp_socket.c | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/net/batman-adv/icmp_socket.c b/net/batman-adv/icmp_socket.c index 49079c254476..fa22ba2bb832 100644 --- a/net/batman-adv/icmp_socket.c +++ b/net/batman-adv/icmp_socket.c | |||
| @@ -153,6 +153,7 @@ static ssize_t bat_socket_write(struct file *file, const char __user *buff, | |||
| 153 | { | 153 | { |
| 154 | struct socket_client *socket_client = file->private_data; | 154 | struct socket_client *socket_client = file->private_data; |
| 155 | struct bat_priv *bat_priv = socket_client->bat_priv; | 155 | struct bat_priv *bat_priv = socket_client->bat_priv; |
| 156 | struct hard_iface *primary_if = NULL; | ||
| 156 | struct sk_buff *skb; | 157 | struct sk_buff *skb; |
| 157 | struct icmp_packet_rr *icmp_packet; | 158 | struct icmp_packet_rr *icmp_packet; |
| 158 | 159 | ||
| @@ -167,15 +168,21 @@ static ssize_t bat_socket_write(struct file *file, const char __user *buff, | |||
| 167 | return -EINVAL; | 168 | return -EINVAL; |
| 168 | } | 169 | } |
| 169 | 170 | ||
| 170 | if (!bat_priv->primary_if) | 171 | primary_if = primary_if_get_selected(bat_priv); |
| 171 | return -EFAULT; | 172 | |
| 173 | if (!primary_if) { | ||
| 174 | len = -EFAULT; | ||
| 175 | goto out; | ||
| 176 | } | ||
| 172 | 177 | ||
| 173 | if (len >= sizeof(struct icmp_packet_rr)) | 178 | if (len >= sizeof(struct icmp_packet_rr)) |
| 174 | packet_len = sizeof(struct icmp_packet_rr); | 179 | packet_len = sizeof(struct icmp_packet_rr); |
| 175 | 180 | ||
| 176 | skb = dev_alloc_skb(packet_len + sizeof(struct ethhdr)); | 181 | skb = dev_alloc_skb(packet_len + sizeof(struct ethhdr)); |
| 177 | if (!skb) | 182 | if (!skb) { |
| 178 | return -ENOMEM; | 183 | len = -ENOMEM; |
| 184 | goto out; | ||
| 185 | } | ||
| 179 | 186 | ||
| 180 | skb_reserve(skb, sizeof(struct ethhdr)); | 187 | skb_reserve(skb, sizeof(struct ethhdr)); |
| 181 | icmp_packet = (struct icmp_packet_rr *)skb_put(skb, packet_len); | 188 | icmp_packet = (struct icmp_packet_rr *)skb_put(skb, packet_len); |
| @@ -233,7 +240,7 @@ static ssize_t bat_socket_write(struct file *file, const char __user *buff, | |||
| 233 | goto dst_unreach; | 240 | goto dst_unreach; |
| 234 | 241 | ||
| 235 | memcpy(icmp_packet->orig, | 242 | memcpy(icmp_packet->orig, |
| 236 | bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN); | 243 | primary_if->net_dev->dev_addr, ETH_ALEN); |
| 237 | 244 | ||
| 238 | if (packet_len == sizeof(struct icmp_packet_rr)) | 245 | if (packet_len == sizeof(struct icmp_packet_rr)) |
| 239 | memcpy(icmp_packet->rr, | 246 | memcpy(icmp_packet->rr, |
| @@ -248,6 +255,8 @@ dst_unreach: | |||
| 248 | free_skb: | 255 | free_skb: |
| 249 | kfree_skb(skb); | 256 | kfree_skb(skb); |
| 250 | out: | 257 | out: |
| 258 | if (primary_if) | ||
| 259 | hardif_free_ref(primary_if); | ||
| 251 | if (neigh_node) | 260 | if (neigh_node) |
| 252 | neigh_node_free_ref(neigh_node); | 261 | neigh_node_free_ref(neigh_node); |
| 253 | if (orig_node) | 262 | if (orig_node) |