Patchwork [4/4] l2tp: clear tunnel socket field as soon as we release it

mail settings
Submitter Tom Parkin
Date Jan. 9, 2013, 6:36 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/210815/
State Changes Requested
Delegated to: David Miller
Headers show


Tom Parkin - Jan. 9, 2013, 6:36 p.m.
L2TP's struct l2tp_tunnel is freed and removed from the tunnel list
by the socket destructor, which may or may not run when we release our
reference to the socket in l2tp_tunnel_delete.  To prevent any chance of
accidentally reusing the socket after it is released, clear out the field
in l2tp_tunnel_delete.

Signed-off-by: Tom Parkin <>
Signed-off-by: James Chapman <>
 net/l2tp/l2tp_core.c |    1 +
 1 file changed, 1 insertion(+)


diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 5922eac..0cfc701 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1668,6 +1668,7 @@  int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
 	 * sessions are removed via. the socket destructor.
 	if (sock != NULL) {
+		tunnel->sock = NULL;
 		if (sock->file == NULL) {
 			kernel_sock_shutdown(sock, SHUT_RDWR);