[NET]: rtnl_link: fix use-after-free

[safe/jmp/linux-2.6] / net / core / rtnetlink.c

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 471d2d9..fed95a3 100644 (file)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -308,9 +308,12 @@ void __rtnl_link_unregister(struct rtnl_link_ops *ops)
        struct net *net;
 
        for_each_net(net) {
+restart:
                for_each_netdev_safe(net, dev, n) {
-                       if (dev->rtnl_link_ops == ops)
+                       if (dev->rtnl_link_ops == ops) {
                                ops->dellink(dev);
+                               goto restart;
+                       }
                }
        }
        list_del(&ops->list);
@@ -742,12 +745,12 @@ static struct net *get_net_ns_by_pid(pid_t pid)
        /* Lookup the network namespace */
        net = ERR_PTR(-ESRCH);
        rcu_read_lock();
-       tsk = find_task_by_pid(pid);
+       tsk = find_task_by_vpid(pid);
        if (tsk) {
-               task_lock(tsk);
-               if (tsk->nsproxy)
-                       net = get_net(tsk->nsproxy->net_ns);
-               task_unlock(tsk);
+               struct nsproxy *nsproxy;
+               nsproxy = task_nsproxy(tsk);
+               if (nsproxy)
+                       net = get_net(nsproxy->net_ns);
        }
        rcu_read_unlock();
        return net;
@@ -1312,15 +1315,11 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        return doit(skb, nlh, (void *)&rta_buf[0]);
 }
 
-static void rtnetlink_rcv(struct sock *sk, int len)
+static void rtnetlink_rcv(struct sk_buff *skb)
 {
-       unsigned int qlen = 0;
-
-       do {
-               rtnl_lock();
-               qlen = netlink_run_queue(sk, qlen, &rtnetlink_rcv_msg);
-               rtnl_unlock();
-       } while (qlen);
+       rtnl_lock();
+       netlink_rcv_skb(skb, &rtnetlink_rcv_msg);
+       rtnl_unlock();
 }
 
 static int rtnetlink_event(struct notifier_block *this, unsigned long event, void *ptr)