diff options
author | Radu Iliescu <radui@bricsys.com> | 2012-01-18 22:57:57 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2012-01-24 15:33:19 -0500 |
commit | 56ac11cf2f21366ad48b356f7a0d1af8cff3588e (patch) | |
tree | dd4471a9df32ddda044718d6d88cbb78cf941bea /net/llc | |
parent | 90b9a5454fd2e626aa1614fe9ece6b63a0dc37af (diff) |
llc: Fix race condition in llc_ui_recvmsg
There is a race on sk_receive_queue between llc_ui_recvmsg and
sock_queue_rcv_skb.
Our current solution is to protect skb_eat in llc_ui_recvmsg
with the queue spinlock.
Signed-off-by: Radu Iliescu <riliescu@ixiacom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/llc')
-rw-r--r-- | net/llc/af_llc.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c index a18e6c3d36e3..b9bef2c75026 100644 --- a/net/llc/af_llc.c +++ b/net/llc/af_llc.c | |||
@@ -713,6 +713,7 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, | |||
713 | struct sk_buff *skb = NULL; | 713 | struct sk_buff *skb = NULL; |
714 | struct sock *sk = sock->sk; | 714 | struct sock *sk = sock->sk; |
715 | struct llc_sock *llc = llc_sk(sk); | 715 | struct llc_sock *llc = llc_sk(sk); |
716 | unsigned long cpu_flags; | ||
716 | size_t copied = 0; | 717 | size_t copied = 0; |
717 | u32 peek_seq = 0; | 718 | u32 peek_seq = 0; |
718 | u32 *seq; | 719 | u32 *seq; |
@@ -838,7 +839,9 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, | |||
838 | goto copy_uaddr; | 839 | goto copy_uaddr; |
839 | 840 | ||
840 | if (!(flags & MSG_PEEK)) { | 841 | if (!(flags & MSG_PEEK)) { |
842 | spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags); | ||
841 | sk_eat_skb(sk, skb, 0); | 843 | sk_eat_skb(sk, skb, 0); |
844 | spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags); | ||
842 | *seq = 0; | 845 | *seq = 0; |
843 | } | 846 | } |
844 | 847 | ||
@@ -859,7 +862,9 @@ copy_uaddr: | |||
859 | llc_cmsg_rcv(msg, skb); | 862 | llc_cmsg_rcv(msg, skb); |
860 | 863 | ||
861 | if (!(flags & MSG_PEEK)) { | 864 | if (!(flags & MSG_PEEK)) { |
865 | spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags); | ||
862 | sk_eat_skb(sk, skb, 0); | 866 | sk_eat_skb(sk, skb, 0); |
867 | spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags); | ||
863 | *seq = 0; | 868 | *seq = 0; |
864 | } | 869 | } |
865 | 870 | ||