renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-11-18 15:44:02 +08:00
Code

packet: dont call sleeping functions while holding rcu_read_lock()

Browse Source 
commit 654d1f8a01 (packet: less dev_put() calls)
introduced a problem, calling potentially sleeping functions from a
rcu_read_lock() protected section.

Fix this by releasing lock before the sock_wmalloc()/memcpy_fromiovec() calls.

After skb allocation and copy from user space, we redo device
lookup and appropriate tests.

Reported-and-tested-by: Frederic Weisbecker <fweisbec@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet 2009-12-15 05:47:03 +00:00 committed by David S. Miller
parent 81e839efc2
commit 1a35ca80c1
1 changed files with 29 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
net/packet/af_packet.c
View File

@ -415,7 +415,7 @@ static int packet_sendmsg_spkt(struct kiocb *iocb, struct socket *sock,
{ {
struct sock *sk = sock->sk; struct sock *sk = sock->sk;
struct sockaddr_pkt *saddr = (struct sockaddr_pkt *)msg->msg_name; struct sockaddr_pkt *saddr = (struct sockaddr_pkt *)msg->msg_name;
struct sk_buff *skb; struct sk_buff *skb = NULL;
struct net_device *dev; struct net_device *dev;
__be16 proto = 0; __be16 proto = 0;
int err; int err;
@ -437,6 +437,7 @@ static int packet_sendmsg_spkt(struct kiocb *iocb, struct socket *sock,
*/ */
saddr->spkt_device[13] = 0; saddr->spkt_device[13] = 0;
retry:
rcu_read_lock(); rcu_read_lock();
dev = dev_get_by_name_rcu(sock_net(sk), saddr->spkt_device); dev = dev_get_by_name_rcu(sock_net(sk), saddr->spkt_device);
err = -ENODEV; err = -ENODEV;
@ -456,58 +457,48 @@ static int packet_sendmsg_spkt(struct kiocb *iocb, struct socket *sock,
if (len > dev->mtu + dev->hard_header_len) if (len > dev->mtu + dev->hard_header_len)
goto out_unlock; goto out_unlock;
err = -ENOBUFS; if (!skb) {
skb = sock_wmalloc(sk, len + LL_RESERVED_SPACE(dev), 0, GFP_KERNEL); size_t reserved = LL_RESERVED_SPACE(dev);
unsigned int hhlen = dev->header_ops ? dev->hard_header_len : 0;
/* rcu_read_unlock();
* If the write buffer is full, then tough. At this level the user skb = sock_wmalloc(sk, len + reserved, 0, GFP_KERNEL);
* gets to deal with the problem - do your own algorithmic backoffs. if (skb == NULL)
* That's far more flexible. return -ENOBUFS;
*/ /* FIXME: Save some space for broken drivers that write a hard
* header at transmission time by themselves. PPP is the notable
* one here. This should really be fixed at the driver level.
*/
skb_reserve(skb, reserved);
skb_reset_network_header(skb);
if (skb == NULL) /* Try to align data part correctly */
goto out_unlock; if (hhlen) {
skb->data -= hhlen;
/* skb->tail -= hhlen;
* Fill it in if (len < hhlen)
*/ skb_reset_network_header(skb);
}
/* FIXME: Save some space for broken drivers that write a err = memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len);
* hard header at transmission time by themselves. PPP is the if (err)
* notable one here. This should really be fixed at the driver level. goto out_free;
*/ goto retry;
skb_reserve(skb, LL_RESERVED_SPACE(dev));
skb_reset_network_header(skb);
/* Try to align data part correctly */
if (dev->header_ops) {
skb->data -= dev->hard_header_len;
skb->tail -= dev->hard_header_len;
if (len < dev->hard_header_len)
skb_reset_network_header(skb);
} }
/* Returns -EFAULT on error */
err = memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len);
skb->protocol = proto; skb->protocol = proto;
skb->dev = dev; skb->dev = dev;
skb->priority = sk->sk_priority; skb->priority = sk->sk_priority;
skb->mark = sk->sk_mark; skb->mark = sk->sk_mark;
if (err)
goto out_free;
/*
* Now send it
*/
dev_queue_xmit(skb); dev_queue_xmit(skb);
rcu_read_unlock(); rcu_read_unlock();
return len; return len;
out_free:
kfree_skb(skb);
out_unlock: out_unlock:
rcu_read_unlock(); rcu_read_unlock();
out_free:
kfree_skb(skb);
return err; return err;
} }