Commit d7226c7a authored by David Ahern's avatar David Ahern Committed by David S. Miller

net: diag: Fix refcnt leak in error path destroying socket

inet_diag_find_one_icsk takes a reference to a socket that is not
released if sock_diag_destroy returns an error. Fix by changing
tcp_diag_destroy to manage the refcnt for all cases and remove
the sock_put calls from tcp_abort.

Fixes: c1e64e29 ("net: diag: Support destroying TCP sockets")
Reported-by: default avatarLorenzo Colitti <lorenzo@google.com>
Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 7b996243
...@@ -3193,7 +3193,6 @@ int tcp_abort(struct sock *sk, int err) ...@@ -3193,7 +3193,6 @@ int tcp_abort(struct sock *sk, int err)
local_bh_enable(); local_bh_enable();
return 0; return 0;
} }
sock_gen_put(sk);
return -EOPNOTSUPP; return -EOPNOTSUPP;
} }
...@@ -3222,7 +3221,6 @@ int tcp_abort(struct sock *sk, int err) ...@@ -3222,7 +3221,6 @@ int tcp_abort(struct sock *sk, int err)
bh_unlock_sock(sk); bh_unlock_sock(sk);
local_bh_enable(); local_bh_enable();
release_sock(sk); release_sock(sk);
sock_put(sk);
return 0; return 0;
} }
EXPORT_SYMBOL_GPL(tcp_abort); EXPORT_SYMBOL_GPL(tcp_abort);
......
...@@ -54,11 +54,16 @@ static int tcp_diag_destroy(struct sk_buff *in_skb, ...@@ -54,11 +54,16 @@ static int tcp_diag_destroy(struct sk_buff *in_skb,
{ {
struct net *net = sock_net(in_skb->sk); struct net *net = sock_net(in_skb->sk);
struct sock *sk = inet_diag_find_one_icsk(net, &tcp_hashinfo, req); struct sock *sk = inet_diag_find_one_icsk(net, &tcp_hashinfo, req);
int err;
if (IS_ERR(sk)) if (IS_ERR(sk))
return PTR_ERR(sk); return PTR_ERR(sk);
return sock_diag_destroy(sk, ECONNABORTED); err = sock_diag_destroy(sk, ECONNABORTED);
sock_gen_put(sk);
return err;
} }
#endif #endif
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment