Hi Dave:
Here is the version for 2.4.
Unfortunately my patch only closed half the race. There is still
a chunk of code between netlink_dump_start and netlink_dump that runs
outside the cb lock which isn't protected by an sk reference.
Here is a better patch which protects the entire netlink_dump function
with a sk reference.
The other call to netlink_dump by recvmsg is safe as the open file
descriptor already holds a reference. As such the final sock_put
in netlink_dump can be turned into a __sock_put since there is at
least one reference held by the caller.
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--- linux-2.4/net/netlink/af_netlink.c.orig 2005-04-01 09:20:05.000000000 +1000
+++ linux-2.4/net/netlink/af_netlink.c 2005-04-01 09:21:06.000000000 +1000
@@ -981,11 +981,9 @@
len = cb->dump(skb, cb);
if (len > 0) {
- sock_hold(sk);
spin_unlock(&sk->protinfo.af_netlink->cb_lock);
skb_queue_tail(&sk->receive_queue, skb);
sk->data_ready(sk, len);
- sock_put(sk);
return 0;
}
@@ -1000,7 +998,7 @@
spin_unlock(&sk->protinfo.af_netlink->cb_lock);
netlink_destroy_callback(cb);
- sock_put(sk);
+ __sock_put(sk);
return 0;
}
@@ -1037,9 +1035,11 @@
return -EBUSY;
}
sk->protinfo.af_netlink->cb = cb;
+ sock_hold(sk);
spin_unlock(&sk->protinfo.af_netlink->cb_lock);
netlink_dump(sk);
+ sock_put(sk);
return 0;
}
