diff options
| author | Eric Dumazet <eric.dumazet@gmail.com> | 2009-10-19 02:41:58 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-10-20 00:34:20 -0400 |
| commit | 55b8050353c4a212c94d7156e2bd5885225b869b (patch) | |
| tree | 013778c4d48b946b2c565f8b55f40e505ec255ce /net | |
| parent | 45054dc1bf2367ccb0e7c0486037907cd9395f8b (diff) | |
net: Fix IP_MULTICAST_IF
ipv4/ipv6 setsockopt(IP_MULTICAST_IF) have dubious __dev_get_by_index() calls.
This function should be called only with RTNL or dev_base_lock held, or reader
could see a corrupt hash chain and eventually enter an endless loop.
Fix is to call dev_get_by_index()/dev_put().
If this happens to be performance critical, we could define a new dev_exist_by_index()
function to avoid touching dev refcount.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/ip_sockglue.c | 7 | ||||
| -rw-r--r-- | net/ipv6/ipv6_sockglue.c | 6 |
2 files changed, 8 insertions, 5 deletions
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 0c0b6e363a20..e982b5c1ee17 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c | |||
| @@ -634,17 +634,16 @@ static int do_ip_setsockopt(struct sock *sk, int level, | |||
| 634 | break; | 634 | break; |
| 635 | } | 635 | } |
| 636 | dev = ip_dev_find(sock_net(sk), mreq.imr_address.s_addr); | 636 | dev = ip_dev_find(sock_net(sk), mreq.imr_address.s_addr); |
| 637 | if (dev) { | 637 | if (dev) |
| 638 | mreq.imr_ifindex = dev->ifindex; | 638 | mreq.imr_ifindex = dev->ifindex; |
| 639 | dev_put(dev); | ||
| 640 | } | ||
| 641 | } else | 639 | } else |
| 642 | dev = __dev_get_by_index(sock_net(sk), mreq.imr_ifindex); | 640 | dev = dev_get_by_index(sock_net(sk), mreq.imr_ifindex); |
| 643 | 641 | ||
| 644 | 642 | ||
| 645 | err = -EADDRNOTAVAIL; | 643 | err = -EADDRNOTAVAIL; |
| 646 | if (!dev) | 644 | if (!dev) |
| 647 | break; | 645 | break; |
| 646 | dev_put(dev); | ||
| 648 | 647 | ||
| 649 | err = -EINVAL; | 648 | err = -EINVAL; |
| 650 | if (sk->sk_bound_dev_if && | 649 | if (sk->sk_bound_dev_if && |
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index 14f54eb5a7fc..4f7aaf6996a3 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c | |||
| @@ -496,13 +496,17 @@ done: | |||
| 496 | goto e_inval; | 496 | goto e_inval; |
| 497 | 497 | ||
| 498 | if (val) { | 498 | if (val) { |
| 499 | struct net_device *dev; | ||
| 500 | |||
| 499 | if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != val) | 501 | if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != val) |
| 500 | goto e_inval; | 502 | goto e_inval; |
| 501 | 503 | ||
| 502 | if (__dev_get_by_index(net, val) == NULL) { | 504 | dev = dev_get_by_index(net, val); |
| 505 | if (!dev) { | ||
| 503 | retv = -ENODEV; | 506 | retv = -ENODEV; |
| 504 | break; | 507 | break; |
| 505 | } | 508 | } |
| 509 | dev_put(dev); | ||
| 506 | } | 510 | } |
| 507 | np->mcast_oif = val; | 511 | np->mcast_oif = val; |
| 508 | retv = 0; | 512 | retv = 0; |