On Sat, Jan 2, 2016 at 12:03 AM, Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote: > On Sat, Jan 2, 2016 at 1:34 AM, Cong Wang <xiyou.wangcong@xxxxxxxxx> wrote: >> llcp_sock_getname() checks llcp_sock->dev to make sure >> llcp_sock is already connected or bound, however, we could >> be in the middle of llcp_sock_bind() where llcp_sock->dev >> is bound and llcp_sock->service_name_len is set, >> but llcp_sock->service_name is not, in this case we would >> lead to copy some bytes from a NULL pointer. >> >> We should just check if sk->sk_state is still closed since >> both connect() and bind() will update this state at the end. > > Hi Cong, > > This is still racy. If you want to play lock-free then you also need > proper memory barriers. Stores to sk_state need to be > smp_store_release, while the load needs to be smp_load_acquire. > Otherwise getname still can see partially initialized socket. > Right... Or just lock sock perhaps. I will update my patch. Thanks! -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
