diff options
Diffstat (limited to 'net/unix/unix_bpf.c')
| -rw-r--r-- | net/unix/unix_bpf.c | 21 | 
1 files changed, 18 insertions, 3 deletions
| diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c index 7ea7c3a0d0d0..bd84785bf8d6 100644 --- a/net/unix/unix_bpf.c +++ b/net/unix/unix_bpf.c @@ -161,15 +161,30 @@ int unix_stream_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool r  {  	struct sock *sk_pair; +	/* Restore does not decrement the sk_pair reference yet because we must +	 * keep the a reference to the socket until after an RCU grace period +	 * and any pending sends have completed. +	 */  	if (restore) {  		sk->sk_write_space = psock->saved_write_space;  		sock_replace_proto(sk, psock->sk_proto);  		return 0;  	} -	sk_pair = unix_peer(sk); -	sock_hold(sk_pair); -	psock->sk_pair = sk_pair; +	/* psock_update_sk_prot can be called multiple times if psock is +	 * added to multiple maps and/or slots in the same map. There is +	 * also an edge case where replacing a psock with itself can trigger +	 * an extra psock_update_sk_prot during the insert process. So it +	 * must be safe to do multiple calls. Here we need to ensure we don't +	 * increment the refcnt through sock_hold many times. There will only +	 * be a single matching destroy operation. +	 */ +	if (!psock->sk_pair) { +		sk_pair = unix_peer(sk); +		sock_hold(sk_pair); +		psock->sk_pair = sk_pair; +	} +  	unix_stream_bpf_check_needs_rebuild(psock->sk_proto);  	sock_replace_proto(sk, &unix_stream_bpf_prot);  	return 0; | 
