Patchwork [4/4] l2tp: clear tunnel socket field as soon as we release it

login
register
mail settings
Submitter Tom Parkin
Date Jan. 9, 2013, 6:36 p.m.
Message ID <1357756583-22535-5-git-send-email-tparkin@katalix.com>
Download mbox | patch
Permalink /patch/210815/
State Changes Requested
Delegated to: David Miller
Headers show

Comments

Tom Parkin - Jan. 9, 2013, 6:36 p.m.
L2TP's struct l2tp_tunnel is freed and removed from the tunnel list
by the socket destructor, which may or may not run when we release our
reference to the socket in l2tp_tunnel_delete.  To prevent any chance of
accidentally reusing the socket after it is released, clear out the field
in l2tp_tunnel_delete.

Signed-off-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: James Chapman <jchapman@katalix.com>
---
 net/l2tp/l2tp_core.c |    1 +
 1 file changed, 1 insertion(+)

Patch

diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 5922eac..0cfc701 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1668,6 +1668,7 @@  int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
 	 * sessions are removed via. the socket destructor.
 	 */
 	if (sock != NULL) {
+		tunnel->sock = NULL;
 		if (sock->file == NULL) {
 			kernel_sock_shutdown(sock, SHUT_RDWR);
 			sk_release_kernel(sock->sk);