pppoatm: drop frames to not-ready vcc

The vcc_destroy_socket() closes vcc before the protocol is detached from vcc by calling vcc->push() with NULL skb. This leaves some time window, where the protocol may call vcc->send() on closed vcc and crash. Now pppoatm_send(), like vcc_sendmsg(), checks for vcc flags that indicate that vcc is not ready. If the vcc is not ready we just drop frame. Queueing frames is much more complicated because we don't have callbacks that inform us about vcc flags changes. Signed-off-by: Krzysztof Mazur <[email protected]> Signed-off-by: David Woodhouse <[email protected]>
rtvt123 · Nov 30, 2012 · 071d939 · 071d939
1 parent 3ac1080
commit 071d939
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/net/atm/pppoatm.c b/net/atm/pppoatm.c
@@ -284,6 +284,13 @@ static int pppoatm_send(struct ppp_channel *chan, struct sk_buff *skb)
 	bh_lock_sock(sk_atm(vcc));
 	if (sock_owned_by_user(sk_atm(vcc)))
 		goto nospace;
+	if (test_bit(ATM_VF_RELEASED, &vcc->flags) ||
+	    test_bit(ATM_VF_CLOSE, &vcc->flags) ||
+	    !test_bit(ATM_VF_READY, &vcc->flags)) {
+		bh_unlock_sock(sk_atm(vcc));
+		kfree_skb(skb);
+		return DROP_PACKET;
+	}
 
 	switch (pvcc->encaps) {		/* LLC encapsulation needed */
 	case e_llc: