On Tue, Jan 22, 2019 at 10:41 AM 'Eric Dumazet' via syzkaller <syzkal...@googlegroups.com> wrote: > > syzbot found that ax25 routes where not properly protected > against concurrent use [1]. > > In this particular report the bug happened while > copying ax25->digipeat. > > Fix this problem by making sure we call ax25_get_route() > while ax25_route_lock is held, so that no modification > could happen while using the route.
ax25_route_lock_use() is a read lock, so two ax25_rt_autobind() could still enter the same critical section? > > The current two ax25_get_route() callers do not sleep, > so this change should be fine. > > Once we do that, ax25_get_route() no longer needs to > grab a reference on the found route. . After your patch, ax25_hold_route() has no callers while ax25_put_route() still does. Is ->refcount always 1? Thanks.
