Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6755aeba authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

can: should not use __dev_get_by_index() without locks 



bcm_proc_getifname() is called with RTNL and dev_base_lock
not held. It calls __dev_get_by_index() without locks, and
this is illegal (might crash)

Close the race by holding dev_base_lock and copying dev->name
in the protected section.

Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: default avatarOliver Hartkopp <oliver@hartkopp.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent cc05368c

net/can/bcm.c

+12 −7
Original line number Original line Diff line number Diff line
@@ -132,23 +132,27 @@ static inline struct bcm_sock *bcm_sk(const struct sock *sk) 
/*

/*

 * procfs functions

 * procfs functions

 */

 */

static char *bcm_proc_getifname(int ifindex)

static char *bcm_proc_getifname(char *result, int ifindex)

{

{

	struct net_device *dev;

	struct net_device *dev;





	if (!ifindex)

	if (!ifindex)

		return "any";

		return "any";





	/* no usage counting */

	read_lock(&dev_base_lock);

	dev = __dev_get_by_index(&init_net, ifindex);

	dev = __dev_get_by_index(&init_net, ifindex);

	if (dev)

	if (dev)

		return dev->name;

		strcpy(result, dev->name);

	else

		strcpy(result, "???");

	read_unlock(&dev_base_lock);





	return "???";

	return result;

}

}





static int bcm_proc_show(struct seq_file *m, void *v)

static int bcm_proc_show(struct seq_file *m, void *v)

{

{

	char ifname[IFNAMSIZ];

	struct sock *sk = (struct sock *)m->private;

	struct sock *sk = (struct sock *)m->private;

	struct bcm_sock *bo = bcm_sk(sk);

	struct bcm_sock *bo = bcm_sk(sk);

	struct bcm_op *op;

	struct bcm_op *op;
@@ -157,7 +161,7 @@ static int bcm_proc_show(struct seq_file *m, void *v) 
	seq_printf(m, " / sk %p", sk);

	seq_printf(m, " / sk %p", sk);

	seq_printf(m, " / bo %p", bo);

	seq_printf(m, " / bo %p", bo);

	seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);

	seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);

	seq_printf(m, " / bound %s", bcm_proc_getifname(bo->ifindex));

	seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));

	seq_printf(m, " <<<\n");

	seq_printf(m, " <<<\n");





	list_for_each_entry(op, &bo->rx_ops, list) {

	list_for_each_entry(op, &bo->rx_ops, list) {
@@ -169,7 +173,7 @@ static int bcm_proc_show(struct seq_file *m, void *v) 
			continue;

			continue;





		seq_printf(m, "rx_op: %03X %-5s ",

		seq_printf(m, "rx_op: %03X %-5s ",

				op->can_id, bcm_proc_getifname(op->ifindex));

				op->can_id, bcm_proc_getifname(ifname, op->ifindex));

		seq_printf(m, "[%d]%c ", op->nframes,

		seq_printf(m, "[%d]%c ", op->nframes,

				(op->flags & RX_CHECK_DLC)?'d':' ');

				(op->flags & RX_CHECK_DLC)?'d':' ');

		if (op->kt_ival1.tv64)

		if (op->kt_ival1.tv64)
@@ -194,7 +198,8 @@ static int bcm_proc_show(struct seq_file *m, void *v) 
	list_for_each_entry(op, &bo->tx_ops, list) {

	list_for_each_entry(op, &bo->tx_ops, list) {





		seq_printf(m, "tx_op: %03X %s [%d] ",

		seq_printf(m, "tx_op: %03X %s [%d] ",

				op->can_id, bcm_proc_getifname(op->ifindex),

				op->can_id,

				bcm_proc_getifname(ifname, op->ifindex),

				op->nframes);

				op->nframes);





		if (op->kt_ival1.tv64)

		if (op->kt_ival1.tv64)