[PATCH 3.16 309/366] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()
From: Ben Hutchings
Date: Sun Nov 11 2018 - 15:33:03 EST
3.16.61-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <g.nault@xxxxxxxxxxxx>
commit f664e37dcc525768280cb94321424a09beb1c992 upstream.
If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
drop the reference taken by l2tp_session_get().
Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
Signed-off-by: Guillaume Nault <g.nault@xxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
[bwh: Backported to 3.16: Also call session->deref in both cases]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
net/l2tp/l2tp_ppp.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1231,15 +1231,22 @@ static int pppol2tp_tunnel_ioctl(struct
l2tp_session_get(sock_net(sk), tunnel,
stats.session_id, true);
- if (session && session->pwtype == L2TP_PWTYPE_PPP) {
- err = pppol2tp_session_ioctl(session, cmd,
- arg);
+ if (!session) {
+ err = -EBADR;
+ break;
+ }
+ if (session->pwtype != L2TP_PWTYPE_PPP) {
if (session->deref)
session->deref(session);
l2tp_session_dec_refcount(session);
- } else {
err = -EBADR;
+ break;
}
+
+ err = pppol2tp_session_ioctl(session, cmd, arg);
+ if (session->deref)
+ session->deref(session);
+ l2tp_session_dec_refcount(session);
break;
}
#ifdef CONFIG_XFRM