• Jiri Bohac's avatar
    bonding: fix a race condition in calls to slave MII ioctls · 44791e49
    Jiri Bohac authored
    commit d9d52832 upstream.
    
    In mii monitor mode, bond_check_dev_link() calls the the ioctl
    handler of slave devices. It stores the ndo_do_ioctl function
    pointer to a static (!) ioctl variable and later uses it to call the
    handler with the IOCTL macro.
    
    If another thread executes bond_check_dev_link() at the same time
    (even with a different bond, which none of the locks prevent), a
    race condition occurs. If the two racing slaves have different
    drivers, this may result in one driver's ioctl handler being
    called with a pointer to a net_device controlled with a different
    driver, resulting in unpredictable breakage.
    
    Unless I am overlooking something, the "static" must be a
    copy'n'paste error (?).
    Signed-off-by: default avatarJiri Bohac <jbohac@suse.cz>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
    44791e49
bond_main.c 134 KB