On Mon, 2012-10-22 at 19:14 +0200, Krzysztof Mazur wrote: > The pppoatm_send() calls vcc->send() and now also checks for > some vcc flags that indicate destroyed vcc without proper locking. > > The vcc_sendmsg() uses lock_sock(sk). This lock is used by > vcc_release(), so vcc_destroy_socket() will not be called between > check and during ->send(). The vcc_release_async() sets ATM_VF_CLOSE, > but it should be safe to call ->send() after it, because > vcc->dev->ops->close() is not called. > > The pppoatm_send() is called with BH disabled, so bh_lock_sock() > should be used instead of lock_sock(). Should we be locking it earlier, so that the atm_may_send() call is also covered by the lock? Either way, it's an obvious improvement on what we had before — and even if the answer to my question above is 'yes', exceeding the configured size by one packet is both harmless and almost never going to happen since we now limit ourselves to two packets anyway. So: Acked-By: David Woodhouse -- dwmw2