diff options
author | Eric Dumazet <edumazet@google.com> | 2012-06-08 02:25:00 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2012-06-08 17:30:51 -0400 |
commit | 4399a4df98a63e30fd16e9d0cecc46ea92269e8f (patch) | |
tree | 6068b48be8fe07b2501a849b152436c42106650d /net/l2tp | |
parent | 6a2b28ef036ab5c66fdc606fe97d9e5cb34ea409 (diff) |
l2tp: fix a race in l2tp_ip_sendmsg()
Commit 081b1b1bb27f (l2tp: fix l2tp_ip_sendmsg() route handling) added
a race, in case IP route cache is disabled.
In this case, we should not do the dst_release(&rt->dst), since it'll
free the dst immediately, instead of waiting a RCU grace period.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: James Chapman <jchapman@katalix.com>
Cc: Denys Fedoryshchenko <denys@visp.net.lb>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/l2tp')
-rw-r--r-- | net/l2tp/l2tp_ip.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c index 70614e7affab..61d8b75d2686 100644 --- a/net/l2tp/l2tp_ip.c +++ b/net/l2tp/l2tp_ip.c | |||
@@ -464,10 +464,12 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m | |||
464 | sk->sk_bound_dev_if); | 464 | sk->sk_bound_dev_if); |
465 | if (IS_ERR(rt)) | 465 | if (IS_ERR(rt)) |
466 | goto no_route; | 466 | goto no_route; |
467 | if (connected) | 467 | if (connected) { |
468 | sk_setup_caps(sk, &rt->dst); | 468 | sk_setup_caps(sk, &rt->dst); |
469 | else | 469 | } else { |
470 | dst_release(&rt->dst); /* safe since we hold rcu_read_lock */ | 470 | skb_dst_set(skb, &rt->dst); |
471 | goto xmit; | ||
472 | } | ||
471 | } | 473 | } |
472 | 474 | ||
473 | /* We dont need to clone dst here, it is guaranteed to not disappear. | 475 | /* We dont need to clone dst here, it is guaranteed to not disappear. |
@@ -475,6 +477,7 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m | |||
475 | */ | 477 | */ |
476 | skb_dst_set_noref(skb, &rt->dst); | 478 | skb_dst_set_noref(skb, &rt->dst); |
477 | 479 | ||
480 | xmit: | ||
478 | /* Queue the packet to IP for output */ | 481 | /* Queue the packet to IP for output */ |
479 | rc = ip_queue_xmit(skb, &inet->cork.fl); | 482 | rc = ip_queue_xmit(skb, &inet->cork.fl); |
480 | rcu_read_unlock(); | 483 | rcu_read_unlock(); |