• Tom Herbert's avatar
    net: fix problem in reading sock TX queue · b0f77d0e
    Tom Herbert authored
    Fix problem in reading the tx_queue recorded in a socket.  In
    dev_pick_tx, the TX queue is read by doing a check with
    sk_tx_queue_recorded on the socket, followed by a sk_tx_queue_get.
    The problem is that there is not mutual exclusion across these
    calls in the socket so it it is possible that the queue in the
    sock can be invalidated after sk_tx_queue_recorded is called so
    that sk_tx_queue get returns -1, which sets 65535 in queue_index
    and thus dev_pick_tx returns 65536 which is a bogus queue and
    can cause crash in dev_queue_xmit.
    
    We fix this by only calling sk_tx_queue_get which does the proper
    checks.  The interface is that sk_tx_queue_get returns the TX queue
    if the sock argument is non-NULL and TX queue is recorded, else it
    returns -1.  sk_tx_queue_recorded is no longer used so it can be
    completely removed.
    Signed-off-by: default avatarTom Herbert <therbert@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    b0f77d0e
dev.c 144 KB