From 01637996a51269ff566a104879a539ff45e6e782 Mon Sep 17 00:00:00 2001 From: Hanjie Wu Date: Thu, 21 Oct 2021 00:09:30 +0800 Subject: [PATCH] ax25: fix race condition in AX25 device unregister routine The ax25_kill_by_device() function in the unregister routine has concurrency issues with other AX25 socket functions. The ax25_dev pointer field of ax25_cb is set to NULL and the ax25_dev struct is then deallocated by ax25_rt_device_down(). However, other socket functions like ax25_sendmsg() may still access the invalidated pointer. This patch introduce lock_sock() into ax25_kill_by_device(), in order to guarantee that the unregister routine cannot proceed when another socket request is pending. Signed-off-by: Hanjie Wu --- net/ax25/af_ax25.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 2631efc6e..aa7785687 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -85,8 +85,10 @@ static void ax25_kill_by_device(struct net_device *dev) again: ax25_for_each(s, &ax25_list) { if (s->ax25_dev == ax25_dev) { - s->ax25_dev = NULL; spin_unlock_bh(&ax25_list_lock); + lock_sock(s->sk); + s->ax25_dev = NULL; + release_sock(s->sk); ax25_disconnect(s, ENETUNREACH); spin_lock_bh(&ax25_list_lock); -- 2.25.1