From d71ffeb12378243babb2227acfed0c8d263e237e Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Wed, 28 Nov 2012 00:46:45 +0000 Subject: [PATCH] br2684: fix module_put() race The br2684 code used module_put() during unassignment from vcc with hope that we have BKL. This assumption is no longer true. Now owner field in atmvcc is used to move this module_put() to vcc_destroy_socket(). Signed-off-by: David Woodhouse Acked-by: Krzysztof Mazur --- net/atm/br2684.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/atm/br2684.c b/net/atm/br2684.c index 4de3ae7bc3e..6dc383c9026 100644 --- a/net/atm/br2684.c +++ b/net/atm/br2684.c @@ -69,6 +69,7 @@ struct br2684_vcc { void (*old_push)(struct atm_vcc *vcc, struct sk_buff *skb); void (*old_pop)(struct atm_vcc *vcc, struct sk_buff *skb); void (*old_release_cb)(struct atm_vcc *vcc); + struct module *old_owner; enum br2684_encaps encaps; struct list_head brvccs; #ifdef CONFIG_ATM_BR2684_IPFILTER @@ -414,8 +415,8 @@ static void br2684_close_vcc(struct br2684_vcc *brvcc) brvcc->atmvcc->user_back = NULL; /* what about vcc->recvq ??? */ brvcc->atmvcc->release_cb = brvcc->old_release_cb; brvcc->old_push(brvcc->atmvcc, NULL); /* pass on the bad news */ + module_put(brvcc->old_owner); kfree(brvcc); - module_put(THIS_MODULE); } /* when AAL5 PDU comes in: */ @@ -590,10 +591,12 @@ static int br2684_regvcc(struct atm_vcc *atmvcc, void __user * arg) brvcc->old_push = atmvcc->push; brvcc->old_pop = atmvcc->pop; brvcc->old_release_cb = atmvcc->release_cb; + brvcc->old_owner = atmvcc->owner; barrier(); atmvcc->push = br2684_push; atmvcc->pop = br2684_pop; atmvcc->release_cb = br2684_release_cb; + atmvcc->owner = THIS_MODULE; /* initialize netdev carrier state */ if (atmvcc->dev->signal == ATM_PHY_SIG_LOST)