From patchwork Tue Oct 5 08:42:08 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 66771 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 4939CB70D0 for ; Tue, 5 Oct 2010 19:42:20 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757939Ab0JEImP (ORCPT ); Tue, 5 Oct 2010 04:42:15 -0400 Received: from mail-fx0-f46.google.com ([209.85.161.46]:57132 "EHLO mail-fx0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753068Ab0JEImO (ORCPT ); Tue, 5 Oct 2010 04:42:14 -0400 Received: by fxm4 with SMTP id 4so225699fxm.19 for ; Tue, 05 Oct 2010 01:42:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :content-type:date:message-id:mime-version:x-mailer :content-transfer-encoding; bh=UdcN063hM1W6+O1K5Db5qN4pG62qnZclC5BerEae560=; b=ClGwfJ4YHV/kJhu7Y2DQuQlKaQ3qkwbt+l2Z4ifBKQ3MF+jEfgIB80cJ5I3J1qrlUX efrvLXCX5cW3uPOFpTRJewTDwPYwSd5LYH767QmB8NnD/crn2hD7k9MifNJksI3PL4+6 uwnl6LDaZlwd27eqj6qCTyeKL5ANo7G72/EbQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; b=q4pFQ4HULA38d/Nz8J7otyF5WykVbeS0YxF9PhsArH7yba32nNtpzHCOKmydr5usll bD7AkkbCc1Sr8nh6UbcoYS8pbShnvtV5AHQA+WUEq0oAzdz7PAgpEEida3QJcOpEwyin vib0zf6NHq8BEVO9OPwspgt8YurnzVtn0uMaQ= Received: by 10.223.115.19 with SMTP id g19mr10198763faq.70.1286268133108; Tue, 05 Oct 2010 01:42:13 -0700 (PDT) Received: from [10.150.51.211] (gw0.net.jmsp.net [212.23.165.14]) by mx.google.com with ESMTPS id s20sm2732178faa.28.2010.10.05.01.42.11 (version=SSLv3 cipher=RC4-MD5); Tue, 05 Oct 2010 01:42:11 -0700 (PDT) Subject: [PATCH] caif: fix two caif_connect() bugs From: Eric Dumazet To: David Miller Cc: netdev , Sjur Braendeland Date: Tue, 05 Oct 2010 10:42:08 +0200 Message-ID: <1286268128.2796.27.camel@edumazet-laptop> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org caif_connect() might dereference a netdevice after dev_put() it. It also doesnt check dev_get_by_index() return value and could dereference a NULL pointer. Fix it, using RCU to avoid taking a reference. Signed-off-by: Eric Dumazet CC: Sjur Braendeland --- net/caif/caif_socket.c | 21 +++++++++++++++------ 1 files changed, 15 insertions(+), 6 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c index 8ce9047..4bf28f2 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c @@ -827,6 +827,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, long timeo; int err; int ifindex, headroom, tailroom; + unsigned int mtu; struct net_device *dev; lock_sock(sk); @@ -896,15 +897,23 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, cf_sk->sk.sk_state = CAIF_DISCONNECTED; goto out; } - dev = dev_get_by_index(sock_net(sk), ifindex); + + err = -ENODEV; + rcu_read_lock(); + dev = dev_get_by_index_rcu(sock_net(sk), ifindex); + if (!dev) { + rcu_read_unlock(); + goto out; + } cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom); + mtu = dev->mtu; + rcu_read_unlock(); + cf_sk->tailroom = tailroom; - cf_sk->maxframe = dev->mtu - (headroom + tailroom); - dev_put(dev); + cf_sk->maxframe = mtu - (headroom + tailroom); if (cf_sk->maxframe < 1) { - pr_warning("CAIF: %s(): CAIF Interface MTU too small (%d)\n", - __func__, dev->mtu); - err = -ENODEV; + pr_warning("CAIF: %s(): CAIF Interface MTU too small (%u)\n", + __func__, mtu); goto out; }