l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6

[ Upstream commit 94d7ee0baa8b764cf64ad91ed69464c1a6a0066b ] The code following l2tp_tunnel_find() expects that a new reference is held on sk. Either sk_receive_skb() or the discard_put error path will drop a reference from the tunnel's socket. This issue exists in both l2tp_ip and l2tp_ip6. Fixes: a3c18422a4b4 ("l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()") Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Guillaume Nault <g.nault@alphalink.fr> 2017-03-29 06:44:59 (GMT)
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-05-03 15:36:35 (GMT)
commit: 59bc404b382967a41250cc01299b0419e61392c0 (patch)
tree: 2f3d778a13c04e71c33622fad69cd07cdb4c2faf /net/l2tp/l2tp_ip6.c
parent: 501299e643814d2367aeeae8439129f0facc4183 (diff)
download: linux-59bc404b382967a41250cc01299b0419e61392c0.tar.xz
1 files changed, 3 insertions, 2 deletions
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 1a65c9a..a4b0c92 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -191,9 +191,10 @@ pass_up:
 
 	tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
 	tunnel = l2tp_tunnel_find(net, tunnel_id);
-	if (tunnel != NULL)
+	if (tunnel) {
 		sk = tunnel->sock;
-	else {
+		sock_hold(sk);
+	} else {
 		struct ipv6hdr *iph = ipv6_hdr(skb);
 
 		read_lock_bh(&l2tp_ip6_lock);
author	Guillaume Nault <g.nault@alphalink.fr>	2017-03-29 06:44:59 (GMT)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-05-03 15:36:35 (GMT)
commit	59bc404b382967a41250cc01299b0419e61392c0 (patch)
tree	2f3d778a13c04e71c33622fad69cd07cdb4c2faf /net/l2tp/l2tp_ip6.c
parent	501299e643814d2367aeeae8439129f0facc4183 (diff)
download	linux-59bc404b382967a41250cc01299b0419e61392c0.tar.xz