openkylin
/
linux
mirror of https://gitee.com/openkylin/linux.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

pppoatm: fix module_put() race 

The pppoatm used module_put() during unassignment from vcc with
hope that we have BKL. This assumption is no longer true.

Now owner field in atmvcc is used to move this module_put()
to vcc_destroy_socket().

Signed-off-by: Krzysztof Mazur <krzysiek@podlesie.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
This commit is contained in:
Krzysztof Mazur 2012-11-06 23:16:59 +01:00 committed by David Woodhouse
parent 3b1a914595
commit e41faed9cd
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
net/atm/pppoatm.c
View File

@ -60,6 +60,7 @@ struct pppoatm_vcc {
struct atm_vcc *atmvcc; /* VCC descriptor */ struct atm_vcc *atmvcc; /* VCC descriptor */
void (*old_push)(struct atm_vcc *, struct sk_buff *); void (*old_push)(struct atm_vcc *, struct sk_buff *);
void (*old_pop)(struct atm_vcc *, struct sk_buff *); void (*old_pop)(struct atm_vcc *, struct sk_buff *);
struct module *old_owner;
/* keep old push/pop for detaching */ /* keep old push/pop for detaching */
enum pppoatm_encaps encaps; enum pppoatm_encaps encaps;
atomic_t inflight; atomic_t inflight;
@ -155,8 +156,6 @@ static void pppoatm_unassign_vcc(struct atm_vcc *atmvcc)
ppp_unregister_channel(&pvcc->chan); ppp_unregister_channel(&pvcc->chan);
atmvcc->user_back = NULL; atmvcc->user_back = NULL;
kfree(pvcc); kfree(pvcc);
/* Gee, I hope we have the big kernel lock here... */
module_put(THIS_MODULE);
} }
/* Called when an AAL5 PDU comes in */ /* Called when an AAL5 PDU comes in */
@ -165,9 +164,13 @@ static void pppoatm_push(struct atm_vcc *atmvcc, struct sk_buff *skb)
struct pppoatm_vcc *pvcc = atmvcc_to_pvcc(atmvcc); struct pppoatm_vcc *pvcc = atmvcc_to_pvcc(atmvcc);
pr_debug("\n"); pr_debug("\n");
if (skb == NULL) { /* VCC was closed */ if (skb == NULL) { /* VCC was closed */
struct module *module;
pr_debug("removing ATMPPP VCC %p\n", pvcc); pr_debug("removing ATMPPP VCC %p\n", pvcc);
module = pvcc->old_owner;
pppoatm_unassign_vcc(atmvcc); pppoatm_unassign_vcc(atmvcc);
atmvcc->push(atmvcc, NULL); /* Pass along bad news */ atmvcc->push(atmvcc, NULL); /* Pass along bad news */
module_put(module);
return; return;
} }
atm_return(atmvcc, skb->truesize); atm_return(atmvcc, skb->truesize);
@ -362,6 +365,7 @@ static int pppoatm_assign_vcc(struct atm_vcc *atmvcc, void __user *arg)
atomic_set(&pvcc->inflight, NONE_INFLIGHT); atomic_set(&pvcc->inflight, NONE_INFLIGHT);
pvcc->old_push = atmvcc->push; pvcc->old_push = atmvcc->push;
pvcc->old_pop = atmvcc->pop; pvcc->old_pop = atmvcc->pop;
pvcc->old_owner = atmvcc->owner;
pvcc->encaps = (enum pppoatm_encaps) be.encaps; pvcc->encaps = (enum pppoatm_encaps) be.encaps;
pvcc->chan.private = pvcc; pvcc->chan.private = pvcc;
pvcc->chan.ops = &pppoatm_ops; pvcc->chan.ops = &pppoatm_ops;
@ -378,6 +382,7 @@ static int pppoatm_assign_vcc(struct atm_vcc *atmvcc, void __user *arg)
atmvcc->push = pppoatm_push; atmvcc->push = pppoatm_push;
atmvcc->pop = pppoatm_pop; atmvcc->pop = pppoatm_pop;
__module_get(THIS_MODULE); __module_get(THIS_MODULE);
atmvcc->owner = THIS_MODULE;
/* re-process everything received between connection setup and /* re-process everything received between connection setup and
backend setup */ backend setup */