diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2010-10-04 22:42:08 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-10-05 20:35:53 -0700 |
commit | 79315068f4560f3f7bd6e9790190dcb43059770c (patch) | |
tree | da41cf961fd143ba9365fcb18a657dba904e617f | |
parent | 27e6f065df132b5270014d3285889b15185e9da9 (diff) | |
download | kernel_samsung_espresso10-79315068f4560f3f7bd6e9790190dcb43059770c.zip kernel_samsung_espresso10-79315068f4560f3f7bd6e9790190dcb43059770c.tar.gz kernel_samsung_espresso10-79315068f4560f3f7bd6e9790190dcb43059770c.tar.bz2 |
caif: fix two caif_connect() bugs
caif_connect() might dereference a netdevice after dev_put() it.
It also doesnt check dev_get_by_index() return value and could
dereference a NULL pointer.
Fix it, using RCU to avoid taking a reference.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/caif/caif_socket.c | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c index 8ce9047..4bf28f2 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c @@ -827,6 +827,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, long timeo; int err; int ifindex, headroom, tailroom; + unsigned int mtu; struct net_device *dev; lock_sock(sk); @@ -896,15 +897,23 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, cf_sk->sk.sk_state = CAIF_DISCONNECTED; goto out; } - dev = dev_get_by_index(sock_net(sk), ifindex); + + err = -ENODEV; + rcu_read_lock(); + dev = dev_get_by_index_rcu(sock_net(sk), ifindex); + if (!dev) { + rcu_read_unlock(); + goto out; + } cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom); + mtu = dev->mtu; + rcu_read_unlock(); + cf_sk->tailroom = tailroom; - cf_sk->maxframe = dev->mtu - (headroom + tailroom); - dev_put(dev); + cf_sk->maxframe = mtu - (headroom + tailroom); if (cf_sk->maxframe < 1) { - pr_warning("CAIF: %s(): CAIF Interface MTU too small (%d)\n", - __func__, dev->mtu); - err = -ENODEV; + pr_warning("CAIF: %s(): CAIF Interface MTU too small (%u)\n", + __func__, mtu); goto out; } |