caif: fix two caif_connect() bugs

caif_connect() might dereference a netdevice after dev_put() it. It also doesnt check dev_get_by_index() return value and could dereference a NULL pointer. Fix it, using RCU to avoid taking a reference. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Sjur Braendeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric Dumazet <eric.dumazet@gmail.com> 2010-10-04 18:42:08 -0400
committer: David S. Miller <davem@davemloft.net> 2010-10-05 23:35:53 -0400
commit: 79315068f4560f3f7bd6e9790190dcb43059770c (patch)
tree: da41cf961fd143ba9365fcb18a657dba904e617f /net
parent: 27e6f065df132b5270014d3285889b15185e9da9 (diff)
1 files changed, 15 insertions, 6 deletions
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 8ce904786116..4bf28f25f368 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -827,6 +827,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
        long timeo;
        int err;
        int ifindex, headroom, tailroom;
+        unsigned int mtu;
        struct net_device *dev;
        lock_sock(sk);
@@ -896,15 +897,23 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
                cf_sk->sk.sk_state = CAIF_DISCONNECTED;
                goto out;
        }
-        dev = dev_get_by_index(sock_net(sk), ifindex);
+        err = -ENODEV;
+        rcu_read_lock();
+        dev = dev_get_by_index_rcu(sock_net(sk), ifindex);
+        if (!dev) {
+                rcu_read_unlock();
+                goto out;
+        }
        cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom);
+        mtu = dev->mtu;
+        rcu_read_unlock();
        cf_sk->tailroom = tailroom;
-        cf_sk->maxframe = dev->mtu - (headroom + tailroom);
+        cf_sk->maxframe = mtu - (headroom + tailroom);
-        dev_put(dev);
        if (cf_sk->maxframe < 1) {
-                pr_warning("CAIF: %s(): CAIF Interface MTU too small (%d)\n",
+                pr_warning("CAIF: %s(): CAIF Interface MTU too small (%u)\n",
-                        __func__, dev->mtu);
+                           __func__, mtu);
-                err = -ENODEV;
                goto out;
        }
author	Eric Dumazet <eric.dumazet@gmail.com>	2010-10-04 18:42:08 -0400
committer	David S. Miller <davem@davemloft.net>	2010-10-05 23:35:53 -0400
commit	79315068f4560f3f7bd6e9790190dcb43059770c (patch)
tree	da41cf961fd143ba9365fcb18a657dba904e617f /net
parent	27e6f065df132b5270014d3285889b15185e9da9 (diff)

diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c index 8ce904786116..4bf28f25f368 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c
@@ -827,6 +827,7 @@ static int caif_connect(struct socket sock, struct sockaddr uaddr,
827	long timeo;	827	long timeo;
828	int err;	828	int err;
829	int ifindex, headroom, tailroom;	829	int ifindex, headroom, tailroom;
		830	unsigned int mtu;
830	struct net_device *dev;	831	struct net_device *dev;
831		832
832	lock_sock(sk);	833	lock_sock(sk);
@@ -896,15 +897,23 @@ static int caif_connect(struct socket sock, struct sockaddr uaddr,
896	cf_sk->sk.sk_state = CAIF_DISCONNECTED;	897	cf_sk->sk.sk_state = CAIF_DISCONNECTED;
897	goto out;	898	goto out;
898	}	899	}
899	dev = dev_get_by_index(sock_net(sk), ifindex);	900
		901	err = -ENODEV;
		902	rcu_read_lock();
		903	dev = dev_get_by_index_rcu(sock_net(sk), ifindex);
		904	if (!dev) {
		905	rcu_read_unlock();
		906	goto out;
		907	}
900	cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom);	908	cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom);
		909	mtu = dev->mtu;
		910	rcu_read_unlock();
		911
901	cf_sk->tailroom = tailroom;	912	cf_sk->tailroom = tailroom;
902	cf_sk->maxframe = dev->mtu - (headroom + tailroom);	913	cf_sk->maxframe = mtu - (headroom + tailroom);
903	dev_put(dev);
904	if (cf_sk->maxframe < 1) {	914	if (cf_sk->maxframe < 1) {
905	pr_warning("CAIF: %s(): CAIF Interface MTU too small (%d)\n",	915	pr_warning("CAIF: %s(): CAIF Interface MTU too small (%u)\n",
906	__func__, dev->mtu);	916	__func__, mtu);
907	err = -ENODEV;
908	goto out;	917	goto out;
909	}	918	}
910		919