diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2005-03-31 04:29:09 -0800 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2005-03-31 04:29:09 -0800 |
commit | 4492174a34f3118342587bedef10117817179375 (patch) | |
tree | bd8b986ccfdd79f77ba8abd03bf14e3f326e9bd5 | |
parent | 3b4155300fc0cdc66ac07846899dc84dc3a2dfb4 (diff) | |
download | history-4492174a34f3118342587bedef10117817179375.tar.gz |
[NETLINK]: More complete fix for race.
Unfortunately my patch only closed half the race. There is still
a chunk of code between netlink_dump_start and netlink_dump that runs
outside the cb lock which isn't protected by an sk reference.
Here is a better patch which protects the entire netlink_dump function
with a sk reference.
The other call to netlink_dump by recvmsg is safe as the open file
descriptor already holds a reference. As such the final sock_put
in netlink_dump can be turned into a __sock_put since there is at
least one reference held by the caller.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/netlink/af_netlink.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 65f1a89ac6dead..81f3a4c9c43e4b 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1080,11 +1080,9 @@ static int netlink_dump(struct sock *sk) len = cb->dump(skb, cb); if (len > 0) { - sock_hold(sk); spin_unlock(&nlk->cb_lock); skb_queue_tail(&sk->sk_receive_queue, skb); sk->sk_data_ready(sk, len); - sock_put(sk); return 0; } @@ -1099,7 +1097,7 @@ static int netlink_dump(struct sock *sk) spin_unlock(&nlk->cb_lock); netlink_destroy_callback(cb); - sock_put(sk); + __sock_put(sk); return 0; } @@ -1138,9 +1136,11 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, return -EBUSY; } nlk->cb = cb; + sock_hold(sk); spin_unlock(&nlk->cb_lock); netlink_dump(sk); + sock_put(sk); return 0; } |