summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorMohamad Ayyash <mkayyash@google.com>2015-01-13 19:20:44 -0800
committerJohn Stultz <john.stultz@linaro.org>2016-02-16 13:51:39 -0800
commit7c36bff505b117a9fd43bc644e3427ae1173e10a (patch)
treead45ccb5aafa2b8d723802e32a379ae4fbdab20c /net
parent6fafffff1af8659928b8f06e1a12fee3b4423858 (diff)
xt_qtaguid: Use sk_callback_lock read locks before reading sk->sk_socket
It prevents a kernel panic when accessing sk->sk_socket fields due to NULLing sk->sk_socket when sock_orphan is called through sk_common_release. Change-Id: I4aa46b4e2d8600e4d4ef8dcdd363aa4e6e5f8433 Signed-off-by: Mohamad Ayyash <mkayyash@google.com> (cherry picked from commit cdea0ebcb8bcfe57688f6cb692b49e550ebd9796) Signed-off-by: John Stultz <john.stultz@linaro.org>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/xt_qtaguid.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/net/netfilter/xt_qtaguid.c b/net/netfilter/xt_qtaguid.c
index 9664bec1091c..e33be3aaf094 100644
--- a/net/netfilter/xt_qtaguid.c
+++ b/net/netfilter/xt_qtaguid.c
@@ -1658,6 +1658,7 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
struct sock *sk;
kuid_t sock_uid;
bool res;
+ bool set_sk_callback_lock = false;
if (unlikely(module_passive))
return (info->match ^ info->invert) == 0;
@@ -1715,6 +1716,8 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
MT_DEBUG("qtaguid[%d]: sk=%p got_sock=%d fam=%d proto=%d\n",
par->hooknum, sk, got_sock, par->family, ipx_proto(skb, par));
if (sk != NULL) {
+ set_sk_callback_lock = true;
+ read_lock_bh(&sk->sk_callback_lock);
MT_DEBUG("qtaguid[%d]: sk=%p->sk_socket=%p->file=%p\n",
par->hooknum, sk, sk->sk_socket,
sk->sk_socket ? sk->sk_socket->file : (void *)-1LL);
@@ -1801,6 +1804,8 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
put_sock_ret_res:
if (got_sock)
xt_socket_put_sk(sk);
+ if (set_sk_callback_lock)
+ read_unlock_bh(&sk->sk_callback_lock);
ret_res:
MT_DEBUG("qtaguid[%d]: left %d\n", par->hooknum, res);
return res;
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-03 23:31:52 +0000