From: Eric Dumazet <edumazet@google.com>
Date: Wed, 21 Jan 2015 11:45:42 +0000 (-0800)
Subject: ipv6: tcp: fix race in IPV6_2292PKTOPTIONS
X-Git-Tag: fixes-v4.0-rc1~150^2~142
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1dc7b90f7cd050ef6d5e511e652347e52874469c;p=pandora-kernel.git

ipv6: tcp: fix race in IPV6_2292PKTOPTIONS

IPv6 TCP sockets store in np->pktoptions skbs, and use skb_set_owner_r()
to charge the skb to socket.

It means that destructor must be called while socket is locked.

Therefore, we cannot use skb_get() or atomic_inc(&skb->users)
to protect ourselves : kfree_skb() might race with other users
manipulating sk->sk_forward_alloc

Fix this race by holding socket lock for the duration of
ip6_datagram_recv_ctl()

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

Reading git-diff-tree failed