projects / unionfs-2.6.39.y.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e978d59) | patch
net: Fix recursive descent in __scm_destroy().
authorDavid Miller <davem@davemloft.net>
Thu, 6 Nov 2008 08:37:40 +0000 (00:37 -0800)
committerGreg Kroah-Hartman <gregkh@suse.de>
Mon, 10 Nov 2008 18:50:05 +0000 (10:50 -0800)
commit52b5acdd4f41f95472437cdc8886eb195a9e433a
treea5c9084dc0275c852cd1ad986e5f1894b74fd421tree | snapshot
parente978d59c81b564ae8b213dd32624fc01ce4adacbcommit | diff
net: Fix recursive descent in __scm_destroy().

commit f8d570a4745835f2238a33b537218a1bb03fc671 and
3b53fbf4314594fa04544b02b2fc6e607912da18 upstream (because once wasn't
good enough...)

__scm_destroy() walks the list of file descriptors in the scm_fp_list
pointed to by the scm_cookie argument.

Those, in turn, can close sockets and invoke __scm_destroy() again.

There is nothing which limits how deeply this can occur.

The idea for how to fix this is from Linus.  Basically, we do all of
the fput()s at the top level by collecting all of the scm_fp_list
objects hit by an fput().  Inside of the initial __scm_destroy() we
keep running the list until it is empty.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
include/linux/sched.h diff | blob | history
include/net/scm.h diff | blob | history
net/core/scm.c diff | blob | history
unionfs2-2.6.39.y