From 4492174a34f3118342587bedef10117817179375 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Thu, 31 Mar 2005 04:29:09 -0800 Subject: [NETLINK]: More complete fix for race. Unfortunately my patch only closed half the race. There is still a chunk of code between netlink_dump_start and netlink_dump that runs outside the cb lock which isn't protected by an sk reference. Here is a better patch which protects the entire netlink_dump function with a sk reference. The other call to netlink_dump by recvmsg is safe as the open file descriptor already holds a reference. As such the final sock_put in netlink_dump can be turned into a __sock_put since there is at least one reference held by the caller. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- net/netlink/af_netlink.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 65f1a89ac6dead..81f3a4c9c43e4b 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1080,11 +1080,9 @@ static int netlink_dump(struct sock *sk) len = cb->dump(skb, cb); if (len > 0) { - sock_hold(sk); spin_unlock(&nlk->cb_lock); skb_queue_tail(&sk->sk_receive_queue, skb); sk->sk_data_ready(sk, len); - sock_put(sk); return 0; } @@ -1099,7 +1097,7 @@ static int netlink_dump(struct sock *sk) spin_unlock(&nlk->cb_lock); netlink_destroy_callback(cb); - sock_put(sk); + __sock_put(sk); return 0; } @@ -1138,9 +1136,11 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, return -EBUSY; } nlk->cb = cb; + sock_hold(sk); spin_unlock(&nlk->cb_lock); netlink_dump(sk); + sock_put(sk); return 0; } -- cgit 1.2.3-korg