[NET]: rtnl_link: fix use-after-free

[safe/jmp/linux-2.6] / net / core / rtnetlink.c

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 44f91bb..fed95a3 100644 (file)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -35,6 +35,7 @@
 #include <linux/security.h>
 #include <linux/mutex.h>
 #include <linux/if_addr.h>
+#include <linux/nsproxy.h>
 
 #include <asm/uaccess.h>
 #include <asm/system.h>
@@ -74,8 +75,6 @@ void __rtnl_unlock(void)
 void rtnl_unlock(void)
 {
        mutex_unlock(&rtnl_mutex);
-       if (rtnl && rtnl->sk_receive_queue.qlen)
-               rtnl->sk_data_ready(rtnl, 0);
        netdev_run_todo();
 }
 
@@ -309,9 +308,12 @@ void __rtnl_link_unregister(struct rtnl_link_ops *ops)
        struct net *net;
 
        for_each_net(net) {
+restart:
                for_each_netdev_safe(net, dev, n) {
-                       if (dev->rtnl_link_ops == ops)
+                       if (dev->rtnl_link_ops == ops) {
                                ops->dellink(dev);
+                               goto restart;
+                       }
                }
        }
        list_del(&ops->list);
@@ -727,6 +729,7 @@ const struct nla_policy ifla_policy[IFLA_MAX+1] = {
        [IFLA_WEIGHT]           = { .type = NLA_U32 },
        [IFLA_OPERSTATE]        = { .type = NLA_U8 },
        [IFLA_LINKMODE]         = { .type = NLA_U8 },
+       [IFLA_NET_NS_PID]       = { .type = NLA_U32 },
 };
 
 static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = {
@@ -734,12 +737,45 @@ static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = {
        [IFLA_INFO_DATA]        = { .type = NLA_NESTED },
 };
 
+static struct net *get_net_ns_by_pid(pid_t pid)
+{
+       struct task_struct *tsk;
+       struct net *net;
+
+       /* Lookup the network namespace */
+       net = ERR_PTR(-ESRCH);
+       rcu_read_lock();
+       tsk = find_task_by_vpid(pid);
+       if (tsk) {
+               struct nsproxy *nsproxy;
+               nsproxy = task_nsproxy(tsk);
+               if (nsproxy)
+                       net = get_net(nsproxy->net_ns);
+       }
+       rcu_read_unlock();
+       return net;
+}
+
 static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
                      struct nlattr **tb, char *ifname, int modified)
 {
        int send_addr_notify = 0;
        int err;
 
+       if (tb[IFLA_NET_NS_PID]) {
+               struct net *net;
+               net = get_net_ns_by_pid(nla_get_u32(tb[IFLA_NET_NS_PID]));
+               if (IS_ERR(net)) {
+                       err = PTR_ERR(net);
+                       goto errout;
+               }
+               err = dev_change_net_namespace(dev, net, ifname);
+               put_net(net);
+               if (err)
+                       goto errout;
+               modified = 1;
+       }
+
        if (tb[IFLA_MAP]) {
                struct rtnl_link_ifmap *u_map;
                struct ifmap k_map;
@@ -1279,17 +1315,11 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        return doit(skb, nlh, (void *)&rta_buf[0]);
 }
 
-static void rtnetlink_rcv(struct sock *sk, int len)
+static void rtnetlink_rcv(struct sk_buff *skb)
 {
-       unsigned int qlen = 0;
-
-       do {
-               mutex_lock(&rtnl_mutex);
-               netlink_run_queue(sk, &qlen, &rtnetlink_rcv_msg);
-               mutex_unlock(&rtnl_mutex);
-
-               netdev_run_todo();
-       } while (qlen);
+       rtnl_lock();
+       netlink_rcv_skb(skb, &rtnetlink_rcv_msg);
+       rtnl_unlock();
 }
 
 static int rtnetlink_event(struct notifier_block *this, unsigned long event, void *ptr)