From 01637996a51269ff566a104879a539ff45e6e782 Mon Sep 17 00:00:00 2001
From: Hanjie Wu <nagi@zju.edu.cn>
Date: Thu, 21 Oct 2021 00:09:30 +0800
Subject: [PATCH] ax25: fix race condition in AX25 device unregister routine
The ax25_kill_by_device() function in the unregister routine has
concurrency issues with other AX25 socket functions. The ax25_dev
pointer field of ax25_cb is set to NULL and the ax25_dev struct is then
deallocated by ax25_rt_device_down(). However, other socket functions
like ax25_sendmsg() may still access the invalidated pointer.
This patch introduce lock_sock() into ax25_kill_by_device(), in order to
guarantee that the unregister routine cannot proceed when another socket
request is pending.
Signed-off-by: Hanjie Wu <nagi@zju.edu.cn>
---
net/ax25/af_ax25.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
@@ -85,8 +85,10 @@ static void ax25_kill_by_device(struct net_device *dev)
again:
ax25_for_each(s, &ax25_list) {
if (s->ax25_dev == ax25_dev) {
- s->ax25_dev = NULL;
spin_unlock_bh(&ax25_list_lock);
+ lock_sock(s->sk);
+ s->ax25_dev = NULL;
+ release_sock(s->sk);
ax25_disconnect(s, ENETUNREACH);
spin_lock_bh(&ax25_list_lock);
--
2.25.1