From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58FC3C43331 for ; Thu, 2 Apr 2020 17:33:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2422B20737 for ; Thu, 2 Apr 2020 17:33:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585848798; bh=bofnpkTixlr+vFtjtf4L9bLs5c+RTq7fq8uU6eBnacQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=SaggqNWRK4b4MiUzRtqmJri/11ZGMWNMho0GhI2JJML12UnDDMrivyCzKDbGqcJ84 1m+XW0+CNzWSumSwEPp6ohBdupi6hWMWXjM+jLXl4GZdRztr5U/Gbdz2uWOSuP2k2+ WqlQHlLzDMRq2ckngYTxv9Mp3Ger6RDGVIk3X0yc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390035AbgDBRdK (ORCPT ); Thu, 2 Apr 2020 13:33:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:33442 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390061AbgDBRdK (ORCPT ); Thu, 2 Apr 2020 13:33:10 -0400 Received: from localhost.localdomain (236.31.169.217.in-addr.arpa [217.169.31.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 36DDE2080C; Thu, 2 Apr 2020 17:33:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585848789; bh=bofnpkTixlr+vFtjtf4L9bLs5c+RTq7fq8uU6eBnacQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yUsg0AGkD78YtoBJP1auLz+HDSE0sqN5c6+T4f8bDw6YrFxOM8u/9OR+dBULir5iX 45MO66U+I+bQ5f9QFTXorE7yKX+SndS/zpAd58HtpnagC5WyTFDsb5mH5UKFi35Kyu dVRgN8d9OE6pAKviMYXIShVFRgTl2X8WJWdZHPvs= From: Will Deacon To: gregkh@linuxfoundation.org Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com, g.nault@alphalink.fr, "David S . Miller" , Will Deacon Subject: [PATCH 7/8] l2tp: ensure sessions are freed after their PPPOL2TP socket Date: Thu, 2 Apr 2020 18:32:49 +0100 Message-Id: <20200402173250.7858-8-will@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200402173250.7858-1-will@kernel.org> References: <20200402173250.7858-1-will@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Guillaume Nault commit cdd10c9627496ad25c87ce6394e29752253c69d3 upstream. If l2tp_tunnel_delete() or l2tp_tunnel_closeall() deletes a session right after pppol2tp_release() orphaned its socket, then the 'sock' variable of the pppol2tp_session_close() callback is NULL. Yet the session is still used by pppol2tp_release(). Therefore we need to take an extra reference in any case, to prevent l2tp_tunnel_delete() or l2tp_tunnel_closeall() from freeing the session. Since the pppol2tp_session_close() callback is only set if the session is associated to a PPPOL2TP socket and that both l2tp_tunnel_delete() and l2tp_tunnel_closeall() hold the PPPOL2TP socket before calling pppol2tp_session_close(), we're sure that pppol2tp_session_close() and pppol2tp_session_destruct() are paired and called in the right order. So the reference taken by the former will be released by the later. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Will Deacon --- net/l2tp/l2tp_ppp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index 98d4fa47b6a5..bc5d6b8f8ede 100644 --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -452,11 +452,11 @@ static void pppol2tp_session_close(struct l2tp_session *session) BUG_ON(session->magic != L2TP_SESSION_MAGIC); - if (sock) { + if (sock) inet_shutdown(sock, SEND_SHUTDOWN); - /* Don't let the session go away before our socket does */ - l2tp_session_inc_refcount(session); - } + + /* Don't let the session go away before our socket does */ + l2tp_session_inc_refcount(session); } /* Really kill the session socket. (Called from sock_put() if -- 2.26.0.rc2.310.g2932bb562d-goog