Skip to content

Commit 664f1b8

Browse files
kuba-mookuba-moo
committed
Merge branch 'with-a-mutex'
Eric Dumazet says: ==================== net: atm: protect dev_lec[] with a mutex Based on an initial syzbot report. First patch is adding lec_mutex to address the report. Second patch protects /proc/net/atm/lec operations. We probably should delete this driver, it seems quite broken. ==================== Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]>
2 parents e7ea5f5 + d03b79f commit 664f1b8

File tree

1 file changed

+10
-2
lines changed

1 file changed

+10
-2
lines changed

net/atm/lec.c

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,7 @@ static unsigned char bus_mac[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
124124

125125
/* Device structures */
126126
static struct net_device *dev_lec[MAX_LEC_ITF];
127+
static DEFINE_MUTEX(lec_mutex);
127128

128129
#if IS_ENABLED(CONFIG_BRIDGE)
129130
static void lec_handle_bridge(struct sk_buff *skb, struct net_device *dev)
@@ -685,6 +686,7 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg)
685686
int bytes_left;
686687
struct atmlec_ioc ioc_data;
687688

689+
lockdep_assert_held(&lec_mutex);
688690
/* Lecd must be up in this case */
689691
bytes_left = copy_from_user(&ioc_data, arg, sizeof(struct atmlec_ioc));
690692
if (bytes_left != 0)
@@ -710,6 +712,7 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg)
710712

711713
static int lec_mcast_attach(struct atm_vcc *vcc, int arg)
712714
{
715+
lockdep_assert_held(&lec_mutex);
713716
if (arg < 0 || arg >= MAX_LEC_ITF)
714717
return -EINVAL;
715718
arg = array_index_nospec(arg, MAX_LEC_ITF);
@@ -725,6 +728,7 @@ static int lecd_attach(struct atm_vcc *vcc, int arg)
725728
int i;
726729
struct lec_priv *priv;
727730

731+
lockdep_assert_held(&lec_mutex);
728732
if (arg < 0)
729733
arg = 0;
730734
if (arg >= MAX_LEC_ITF)
@@ -742,6 +746,7 @@ static int lecd_attach(struct atm_vcc *vcc, int arg)
742746
snprintf(dev_lec[i]->name, IFNAMSIZ, "lec%d", i);
743747
if (register_netdev(dev_lec[i])) {
744748
free_netdev(dev_lec[i]);
749+
dev_lec[i] = NULL;
745750
return -EINVAL;
746751
}
747752

@@ -904,7 +909,6 @@ static void *lec_itf_walk(struct lec_state *state, loff_t *l)
904909
v = (dev && netdev_priv(dev)) ?
905910
lec_priv_walk(state, l, netdev_priv(dev)) : NULL;
906911
if (!v && dev) {
907-
dev_put(dev);
908912
/* Partial state reset for the next time we get called */
909913
dev = NULL;
910914
}
@@ -928,6 +932,7 @@ static void *lec_seq_start(struct seq_file *seq, loff_t *pos)
928932
{
929933
struct lec_state *state = seq->private;
930934

935+
mutex_lock(&lec_mutex);
931936
state->itf = 0;
932937
state->dev = NULL;
933938
state->locked = NULL;
@@ -945,8 +950,9 @@ static void lec_seq_stop(struct seq_file *seq, void *v)
945950
if (state->dev) {
946951
spin_unlock_irqrestore(&state->locked->lec_arp_lock,
947952
state->flags);
948-
dev_put(state->dev);
953+
state->dev = NULL;
949954
}
955+
mutex_unlock(&lec_mutex);
950956
}
951957

952958
static void *lec_seq_next(struct seq_file *seq, void *v, loff_t *pos)
@@ -1003,6 +1009,7 @@ static int lane_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
10031009
return -ENOIOCTLCMD;
10041010
}
10051011

1012+
mutex_lock(&lec_mutex);
10061013
switch (cmd) {
10071014
case ATMLEC_CTRL:
10081015
err = lecd_attach(vcc, (int)arg);
@@ -1017,6 +1024,7 @@ static int lane_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
10171024
break;
10181025
}
10191026

1027+
mutex_unlock(&lec_mutex);
10201028
return err;
10211029
}
10221030

0 commit comments

Comments
 (0)