diff options
author | David S. Miller <davem@davemloft.net> | 2008-11-06 15:45:32 -0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-11-06 15:45:32 -0800 |
commit | 3b53fbf4314594fa04544b02b2fc6e607912da18 (patch) | |
tree | af88f6c7ecbdf06719c92cc8891f75f497b70555 /include | |
parent | 518a09ef11f8454f4676125d47c3e775b300c6a5 (diff) | |
download | linux-3b53fbf4314594fa04544b02b2fc6e607912da18.tar.gz linux-3b53fbf4314594fa04544b02b2fc6e607912da18.tar.bz2 linux-3b53fbf4314594fa04544b02b2fc6e607912da18.zip |
net: Fix recursive descent in __scm_destroy().
__scm_destroy() walks the list of file descriptors in the scm_fp_list
pointed to by the scm_cookie argument.
Those, in turn, can close sockets and invoke __scm_destroy() again.
There is nothing which limits how deeply this can occur.
The idea for how to fix this is from Linus. Basically, we do all of
the fput()s at the top level by collecting all of the scm_fp_list
objects hit by an fput(). Inside of the initial __scm_destroy() we
keep running the list until it is empty.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/sched.h | 2 | ||||
-rw-r--r-- | include/net/scm.h | 5 |
2 files changed, 5 insertions, 2 deletions
diff --git a/include/linux/sched.h b/include/linux/sched.h index b483f39a7112..295b7c756ca6 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1349,6 +1349,8 @@ struct task_struct { */ unsigned long timer_slack_ns; unsigned long default_timer_slack_ns; + + struct list_head *scm_work_list; }; /* diff --git a/include/net/scm.h b/include/net/scm.h index 06df126103ca..33e9986beb86 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -14,8 +14,9 @@ struct scm_fp_list { - int count; - struct file *fp[SCM_MAX_FD]; + struct list_head list; + int count; + struct file *fp[SCM_MAX_FD]; }; struct scm_cookie |