From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, James Chapman <jchapman@katalix.com>,
"David S. Miller" <davem@davemloft.net>,
Chris Wright <chrisw@sous-sol.org>
Subject: [patch 28/47] l2tp: Fix possible WARN_ON from socket code when UDP socket is closed
Date: Fri, 13 Jun 2008 17:11:37 -0700 [thread overview]
Message-ID: <20080614001137.GB24698@suse.de> (raw)
In-Reply-To: <20080614000840.GA24659@suse.de>
[-- Attachment #1: l2tp-fix-possible-warn_on-from-socket-code-when-udp-socket-is-closed.patch --]
[-- Type: text/plain, Size: 1904 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: James Chapman <jchapman@katalix.com>
[ upstream commit: 199f7d24ae59894243687a234a909f44a8724506 ]
If an L2TP daemon closes a tunnel socket while packets are queued in
the tunnel's reorder queue, a kernel warning is logged because the
socket is closed while skbs are still referencing it. The fix is to
purge the queue in the socket's release handler.
WARNING: at include/net/sock.h:351 udp_lib_unhash+0x41/0x68()
Pid: 12998, comm: openl2tpd Not tainted 2.6.25 #8
[<c0423c58>] warn_on_slowpath+0x41/0x51
[<c05d33a7>] udp_lib_unhash+0x41/0x68
[<c059424d>] sk_common_release+0x23/0x90
[<c05d16be>] udp_lib_close+0x8/0xa
[<c05d8684>] inet_release+0x42/0x48
[<c0592599>] sock_release+0x14/0x60
[<c059299f>] sock_close+0x29/0x30
[<c046ef52>] __fput+0xad/0x15b
[<c046f1d9>] fput+0x17/0x19
[<c046c8c4>] filp_close+0x50/0x5a
[<c046da06>] sys_close+0x69/0x9f
[<c04048ce>] syscall_call+0x7/0xb
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
drivers/net/pppol2tp.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -1279,6 +1279,7 @@ out:
static int pppol2tp_release(struct socket *sock)
{
struct sock *sk = sock->sk;
+ struct pppol2tp_session *session;
int error;
if (!sk)
@@ -1296,9 +1297,18 @@ static int pppol2tp_release(struct socke
sock_orphan(sk);
sock->sk = NULL;
+ session = pppol2tp_sock_to_session(sk);
+
/* Purge any queued data */
skb_queue_purge(&sk->sk_receive_queue);
skb_queue_purge(&sk->sk_write_queue);
+ if (session != NULL) {
+ struct sk_buff *skb;
+ while ((skb = skb_dequeue(&session->reorder_q))) {
+ kfree_skb(skb);
+ sock_put(sk);
+ }
+ }
release_sock(sk);
--
next prev parent reply other threads:[~2008-06-14 0:21 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080613234753.235721454@mini.kroah.org>
2008-06-14 0:08 ` [patch 00/47] 2.6.25-stable review Greg KH
2008-06-14 0:10 ` [patch 01/47] b43: Fix controller restart crash Greg KH
2008-06-14 0:10 ` [patch 02/47] ipwireless: Fix blocked sending Greg KH
2008-06-14 0:10 ` [patch 03/47] Add rd alias to new brd ramdisk driver Greg KH
2008-06-14 0:10 ` [patch 04/47] ssb: Fix context assertion in ssb_pcicore_dev_irqvecs_enable Greg KH
2008-06-14 0:10 ` [patch 05/47] double-free of inode on alloc_file() failure exit in create_write_pipe() Greg KH
2008-06-14 0:10 ` [patch 06/47] ALSA: hda - Fix resume of auto-config mode with Realtek codecs Greg KH
2008-06-14 0:10 ` [patch 07/47] sound: emu10k1 - fix system hang with Audigy2 ZS Notebook PCMCIA card Greg KH
2008-06-14 0:10 ` [patch 08/47] ecryptfs: add missing lock around notify_change Greg KH
2008-06-14 0:10 ` [patch 09/47] eCryptfs: protect crypt_stat->flags in ecryptfs_open() Greg KH
2008-06-14 0:10 ` [patch 10/47] ecryptfs: clean up (un)lock_parent Greg KH
2008-06-14 0:10 ` [patch 11/47] ecryptfs: fix missed mutex_unlock Greg KH
2008-06-14 0:10 ` [patch 12/47] fbdev: export symbol fb_mode_option Greg KH
2008-06-14 0:10 ` [patch 13/47] sunhv: Fix locking in non-paged I/O case Greg KH
2008-06-14 0:10 ` [patch 14/47] af_key: Fix selector family initialization Greg KH
2008-06-14 0:10 ` [patch 15/47] ax25: Fix NULL pointer dereference and lockup Greg KH
2008-06-14 0:10 ` [patch 16/47] bluetooth: fix locking bug in the rfcomm socket cleanup handling Greg KH
2008-06-14 2:50 ` Dave Young
2008-06-14 3:46 ` David Miller
2008-06-16 19:40 ` [stable] " Greg KH
2008-06-14 12:26 ` Marcel Holtmann
2008-06-15 3:35 ` Dave Young
2008-06-14 0:11 ` [patch 17/47] can: Fix copy_from_user() results interpretation Greg KH
2008-06-14 0:11 ` [patch 18/47] cassini: Only use chip checksum for ipv4 packets Greg KH
2008-06-14 0:11 ` [patch 19/47] net: Fix call to ->change_rx_flags(dev, IFF_MULTICAST) in dev_change_flags() Greg KH
2008-06-14 0:11 ` [patch 20/47] net_sched: cls_api: fix return value for non-existant classifiers Greg KH
2008-06-14 0:11 ` [patch 21/47] ipsec: Use the correct ip_local_out function Greg KH
2008-06-14 0:11 ` [patch 22/47] netlink: Fix nla_parse_nested_compat() to call nla_parse() directly Greg KH
2008-06-14 0:11 ` [patch 23/47] l2tp: avoid skb truesize bug if headroom is increased Greg KH
2008-06-14 0:11 ` [patch 24/47] vlan: Correctly handle device notifications for layered VLAN devices Greg KH
2008-06-14 0:11 ` [patch 25/47] tcp: TCP connection times out if ICMP frag needed is delayed Greg KH
2008-06-14 0:11 ` [patch 26/47] tcp: Allow send-limited cwnd to grow up to max_burst when gso disabled Greg KH
2008-06-14 0:11 ` [patch 27/47] tcp: Limit cwnd growth when deferring for GSO Greg KH
2008-06-14 0:11 ` Greg KH [this message]
2008-06-14 0:11 ` [patch 29/47] l2tp: Fix possible oops if transmitting or receiving when tunnel goes down Greg KH
2008-06-14 0:11 ` [patch 30/47] tcp: fix skb vs fack_count out-of-sync condition Greg KH
2008-06-14 0:11 ` [patch 31/47] tcp FRTO: Fix fallback to conventional recovery Greg KH
2008-06-14 0:11 ` [patch 32/47] tcp FRTO: SACK variant is errorneously used with NewReno Greg KH
2008-06-14 0:11 ` [patch 33/47] tcp FRTO: work-around inorder receivers Greg KH
2008-06-14 0:11 ` [patch 34/47] mmc: wbsd: initialize tasklets before requesting interrupt Greg KH
2008-06-14 0:11 ` [patch 35/47] cciss: add new hardware support Greg KH
2008-06-14 0:11 ` [patch 36/47] hgafb: resource management fix Greg KH
2008-06-14 0:11 ` [patch 37/47] forcedeth: msi interrupts Greg KH
2008-06-14 0:12 ` [patch 38/47] tcp: Fix inconsistency source (CA_Open only when !tcp_left_out(tp)) Greg KH
2008-06-14 0:12 ` [patch 39/47] IB/umem: Avoid sign problems when demoting npages to integer Greg KH
2008-06-14 0:12 ` [patch 40/47] m68k: Add ext2_find_{first,next}_bit() for ext4 Greg KH
2008-06-14 0:12 ` [patch 41/47] cifs: fix oops on mount when CONFIG_CIFS_DFS_UPCALL is enabled Greg KH
2008-06-14 0:12 ` [patch 42/47] CPUFREQ: Fix format string bug Greg KH
2008-06-14 0:12 ` [patch 43/47] serial: fix enable_irq_wake/disable_irq_wake imbalance in serial_core.c Greg KH
2008-06-14 0:12 ` [patch 44/47] Kconfig: introduce ARCH_DEFCONFIG to DEFCONFIG_LIST Greg KH
2008-06-14 0:12 ` [patch 45/47] bttv: Fix a deadlock in the bttv driver Greg KH
2008-06-14 0:12 ` [patch 46/47] x86: fix recursive dependencies Greg KH
2008-06-14 0:12 ` [patch 47/47] mac80211: send association event on IBSS create Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080614001137.GB24698@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chrisw@sous-sol.org \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=jchapman@katalix.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox