git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Cong Wang <xiyou.wangcong@gmail.com>
	Tue, 7 Aug 2018 19:41:38 +0000 (12:41 -0700)
committer	Juerg Haefliger <juergh@canonical.com>
	Wed, 24 Jul 2019 01:42:12 +0000 (19:42 -0600)
commit	4c0b32f841063326a8b0fe14c6fca62dc3f4c4eb
tree	3acb6051cf04fd6d2f77b0cc64388005a810ce02	tree
parent	96596f83fea3e7e01a00f1be6531677c248168d2	commit \| diff

llc: use refcount_inc_not_zero() for llc_sap_find()

BugLink: https://bugs.launchpad.net/bugs/1835845
[ Upstream commit 0dcb82254d65f72333aa50ad626d1e9665ad093b ]

llc_sap_put() decreases the refcnt before deleting sap
from the global list. Therefore, there is a chance
llc_sap_find() could find a sap with zero refcnt
in this global list.

Close this race condition by checking if refcnt is zero
or not in llc_sap_find(), if it is zero then it is being
removed so we can just treat it as gone.

Reported-by: <syzbot+278893f3f7803871f7ce@syzkaller.appspotmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

include/net/llc.h		diff \| blob \| blame \| history
net/llc/llc_core.c		diff \| blob \| blame \| history