diff options
author | Matt Johnston <matt@codeconstruct.com.au> | 2022-02-22 12:17:38 +0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2022-02-23 12:29:15 +0000 |
commit | dc121c0084910db985cf1c8ba6fce5d8c307cc02 (patch) | |
tree | d9a2d56d1ded9a273b032beb317d36ea86ffb6f3 /net/mctp/route.c | |
parent | 4767b7e2ed818e97851d236d23f2e2ffa90af6ec (diff) |
mctp: make __mctp_dev_get() take a refcount hold
Previously there was a race that could allow the mctp_dev refcount
to hit zero:
rcu_read_lock();
mdev = __mctp_dev_get(dev);
// mctp_unregister() happens here, mdev->refs hits zero
mctp_dev_hold(dev);
rcu_read_unlock();
Now we make __mctp_dev_get() take the hold itself. It is safe to test
against the zero refcount because __mctp_dev_get() is called holding
rcu_read_lock and mctp_dev uses kfree_rcu().
Reported-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/mctp/route.c')
-rw-r--r-- | net/mctp/route.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/mctp/route.c b/net/mctp/route.c index fe6c8bf1ec2c..6f277e56b168 100644 --- a/net/mctp/route.c +++ b/net/mctp/route.c @@ -836,7 +836,7 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt, { struct mctp_sock *msk = container_of(sk, struct mctp_sock, sk); struct mctp_skb_cb *cb = mctp_cb(skb); - struct mctp_route tmp_rt; + struct mctp_route tmp_rt = {0}; struct mctp_sk_key *key; struct net_device *dev; struct mctp_hdr *hdr; @@ -948,6 +948,7 @@ out_release: mctp_route_release(rt); dev_put(dev); + mctp_dev_put(tmp_rt.dev); return rc; @@ -1124,11 +1125,13 @@ static int mctp_pkttype_receive(struct sk_buff *skb, struct net_device *dev, rt->output(rt, skb); mctp_route_release(rt); + mctp_dev_put(mdev); return NET_RX_SUCCESS; err_drop: kfree_skb(skb); + mctp_dev_put(mdev); return NET_RX_DROP; } |