diff options
| author | Radu Iliescu <radui@bricsys.com> | 2012-01-18 22:57:57 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-01-24 15:33:19 -0500 |
| commit | 56ac11cf2f21366ad48b356f7a0d1af8cff3588e (patch) | |
| tree | dd4471a9df32ddda044718d6d88cbb78cf941bea /net | |
| parent | 90b9a5454fd2e626aa1614fe9ece6b63a0dc37af (diff) | |
llc: Fix race condition in llc_ui_recvmsg
There is a race on sk_receive_queue between llc_ui_recvmsg and
sock_queue_rcv_skb.
Our current solution is to protect skb_eat in llc_ui_recvmsg
with the queue spinlock.
Signed-off-by: Radu Iliescu <riliescu@ixiacom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/llc/af_llc.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c index a18e6c3d36e3..b9bef2c75026 100644 --- a/net/llc/af_llc.c +++ b/net/llc/af_llc.c | |||
| @@ -713,6 +713,7 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, | |||
| 713 | struct sk_buff *skb = NULL; | 713 | struct sk_buff *skb = NULL; |
| 714 | struct sock *sk = sock->sk; | 714 | struct sock *sk = sock->sk; |
| 715 | struct llc_sock *llc = llc_sk(sk); | 715 | struct llc_sock *llc = llc_sk(sk); |
| 716 | unsigned long cpu_flags; | ||
| 716 | size_t copied = 0; | 717 | size_t copied = 0; |
| 717 | u32 peek_seq = 0; | 718 | u32 peek_seq = 0; |
| 718 | u32 *seq; | 719 | u32 *seq; |
| @@ -838,7 +839,9 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, | |||
| 838 | goto copy_uaddr; | 839 | goto copy_uaddr; |
| 839 | 840 | ||
| 840 | if (!(flags & MSG_PEEK)) { | 841 | if (!(flags & MSG_PEEK)) { |
| 842 | spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags); | ||
| 841 | sk_eat_skb(sk, skb, 0); | 843 | sk_eat_skb(sk, skb, 0); |
| 844 | spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags); | ||
| 842 | *seq = 0; | 845 | *seq = 0; |
| 843 | } | 846 | } |
| 844 | 847 | ||
| @@ -859,7 +862,9 @@ copy_uaddr: | |||
| 859 | llc_cmsg_rcv(msg, skb); | 862 | llc_cmsg_rcv(msg, skb); |
| 860 | 863 | ||
| 861 | if (!(flags & MSG_PEEK)) { | 864 | if (!(flags & MSG_PEEK)) { |
| 865 | spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags); | ||
| 862 | sk_eat_skb(sk, skb, 0); | 866 | sk_eat_skb(sk, skb, 0); |
| 867 | spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags); | ||
| 863 | *seq = 0; | 868 | *seq = 0; |
| 864 | } | 869 | } |
| 865 | 870 | ||