aboutsummaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorTom Herbert <therbert@google.com>2010-07-14 20:50:29 -0700
committerGreg Kroah-Hartman <gregkh@suse.de>2010-08-02 10:26:28 -0700
commit47f13456eadc6b8cf591bd7ab11ed829c4af4b55 (patch)
tree90f0fc1bd7cf48d0c99a09c5f337307b656a2aeb /net
parentaf0216e8d8f1c2f8dade974a4db6cb08b732b484 (diff)
net: fix problem in reading sock TX queue
commit b0f77d0eae0c58a5a9691a067ada112ceeae2d00 upstream. Fix problem in reading the tx_queue recorded in a socket. In dev_pick_tx, the TX queue is read by doing a check with sk_tx_queue_recorded on the socket, followed by a sk_tx_queue_get. The problem is that there is not mutual exclusion across these calls in the socket so it it is possible that the queue in the sock can be invalidated after sk_tx_queue_recorded is called so that sk_tx_queue get returns -1, which sets 65535 in queue_index and thus dev_pick_tx returns 65536 which is a bogus queue and can cause crash in dev_queue_xmit. We fix this by only calling sk_tx_queue_get which does the proper checks. The interface is that sk_tx_queue_get returns the TX queue if the sock argument is non-NULL and TX queue is recorded, else it returns -1. sk_tx_queue_recorded is no longer used so it can be completely removed. Signed-off-by: Tom Herbert <therbert@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net')
-rw-r--r--net/core/dev.c7
1 files changed, 3 insertions, 4 deletions
diff --git a/net/core/dev.c b/net/core/dev.c
index cfd755705ee..7eb7c1d88e7 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1915,12 +1915,11 @@ static inline u16 dev_cap_txqueue(struct net_device *dev, u16 queue_index)
static struct netdev_queue *dev_pick_tx(struct net_device *dev,
struct sk_buff *skb)
{
- u16 queue_index;
+ int queue_index;
struct sock *sk = skb->sk;
- if (sk_tx_queue_recorded(sk)) {
- queue_index = sk_tx_queue_get(sk);
- } else {
+ queue_index = sk_tx_queue_get(sk);
+ if (queue_index < 0) {
const struct net_device_ops *ops = dev->netdev_ops;
if (ops->ndo_select_queue) {