commit be33690d8fcf40377f16193c463681170eb6b295
author Patrick McHardy <kaber@trash.net> Mon Mar 20 22:40:54 2006 -0800
committer David S. Miller <davem@davemloft.net> Mon Mar 20 22:40:54 2006 -0800
tree 08c7be2ba1d046fca40bbb1d3ddac789b393ecc9
parent 15d99e02babae8bc20b836917ace07d93e318149

[XFRM]: Fix aevent related crash

When xfrm_user isn't loaded xfrm_nl is NULL, which makes IPsec crash because
xfrm_aevent_is_on passes the NULL pointer to netlink_has_listeners as socket.
A second problem is that the xfrm_nl pointer is not cleared when the socket
is releases at module unload time.

Protect references of xfrm_nl from outside of xfrm_user by RCU, check
that the socket is present in xfrm_aevent_is_on and set it to NULL
when unloading xfrm_user.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/net/xfrm.h

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 7863713..61b7504 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1001,7 +1001,15 @@
 
 static inline int xfrm_aevent_is_on(void)
 {
-	return netlink_has_listeners(xfrm_nl,XFRMNLGRP_AEVENTS);
+	struct sock *nlsk;
+	int ret = 0;
+
+	rcu_read_lock();
+	nlsk = rcu_dereference(xfrm_nl);
+	if (nlsk)
+		ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
+	rcu_read_unlock();
+	return ret;
 }
 
 static inline void xfrm_aevent_doreplay(struct xfrm_state *x)