[AF_PACKET]: Fix bind()/setsockopt(PACKET_RX_RING) bug and socket leak.

This problem was the bug of packet_set_ring(). packet_set_ring() removes the hook for preparation of ring buffer, but it didn't restore. Also it's leaking the refcount of sk.

[AF_PACKET]: Fix bind()/setsockopt(PACKET_RX_RING) bug and socket leak.
This problem was the bug of packet_set_ring(). packet_set_ring() removes the hook for preparation of ring buffer, but it didn't restore. Also it's leaking the refcount of sk.
c2e514bc · Hirofumi Ogawa · David S. Miller · 5597ba1e · c2e514bc
Commit c2e514bc authored Jan 14, 2004 by Hirofumi Ogawa Committed by David S. Miller Jan 14, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 3 deletions

net/packet/af_packet.c net/packet/af_packet.c +10 -3

No files found.
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1550,7 +1550,7 @@ static int packet_set_ring(struct sock *sk, struct tpacket_req *req, int closing
 	unsigned long *pg_vec = NULL;
 	struct tpacket_hdr **io_vec = NULL;
 	struct packet_opt *po = pkt_sk(sk);
-	int order = 0;
+	int was_running, num, order = 0;
 	int err = 0;
 	if (req->tp_block_nr) {
@@ -1623,10 +1623,13 @@ static int packet_set_ring(struct sock *sk, struct tpacket_req *req, int closing
 	/* Detach socket from network */
 	spin_lock(&po->bind_lock);
-	if (po->running) {
+	was_running = po->running;
+	num = po->num;
+	if (was_running) {
 		__dev_remove_pack(&po->prot_hook);
 		po->num = 0;
 		po->running = 0;
+		__sock_put(sk);
 	}
 	spin_unlock(&po->bind_lock);
@@ -1657,8 +1660,12 @@ static int packet_set_ring(struct sock *sk, struct tpacket_req *req, int closing
 	}
 	spin_lock(&po->bind_lock);
-	if (po->running)
+	if (was_running && !po->running) {
+		sock_hold(sk);
+		po->running = 1;
+		po->num = num;
 		dev_add_pack(&po->prot_hook);
+	}
 	spin_unlock(&po->bind_lock);
 	release_sock(sk);