diff options
| author | Eric Dumazet <eric.dumazet@gmail.com> | 2009-10-19 06:41:58 +0000 | 
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-10-19 21:34:20 -0700 | 
| commit | 55b8050353c4a212c94d7156e2bd5885225b869b (patch) | |
| tree | 013778c4d48b946b2c565f8b55f40e505ec255ce | |
| parent | 45054dc1bf2367ccb0e7c0486037907cd9395f8b (diff) | |
net: Fix IP_MULTICAST_IF
ipv4/ipv6 setsockopt(IP_MULTICAST_IF) have dubious __dev_get_by_index() calls.
This function should be called only with RTNL or dev_base_lock held, or reader
could see a corrupt hash chain and eventually enter an endless loop.
Fix is to call dev_get_by_index()/dev_put().
If this happens to be performance critical, we could define a new dev_exist_by_index()
function to avoid touching dev refcount.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/ipv4/ip_sockglue.c | 7 | ||||
| -rw-r--r-- | net/ipv6/ipv6_sockglue.c | 6 | 
2 files changed, 8 insertions, 5 deletions
| diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 0c0b6e363a20..e982b5c1ee17 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -634,17 +634,16 @@ static int do_ip_setsockopt(struct sock *sk, int level,  				break;  			}  			dev = ip_dev_find(sock_net(sk), mreq.imr_address.s_addr); -			if (dev) { +			if (dev)  				mreq.imr_ifindex = dev->ifindex; -				dev_put(dev); -			}  		} else -			dev = __dev_get_by_index(sock_net(sk), mreq.imr_ifindex); +			dev = dev_get_by_index(sock_net(sk), mreq.imr_ifindex);  		err = -EADDRNOTAVAIL;  		if (!dev)  			break; +		dev_put(dev);  		err = -EINVAL;  		if (sk->sk_bound_dev_if && diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index 14f54eb5a7fc..4f7aaf6996a3 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -496,13 +496,17 @@ done:  			goto e_inval;  		if (val) { +			struct net_device *dev; +  			if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != val)  				goto e_inval; -			if (__dev_get_by_index(net, val) == NULL) { +			dev = dev_get_by_index(net, val); +			if (!dev) {  				retv = -ENODEV;  				break;  			} +			dev_put(dev);  		}  		np->mcast_oif = val;  		retv = 0; | 
