Commit a1bf0abb authored by Guillaume Nault's avatar Guillaume Nault Committed by Ben Hutchings

l2tp: ensure session can't get removed during pppol2tp_session_ioctl()

commit 57377d63 upstream.

Holding a reference on session is required before calling
pppol2tp_session_ioctl(). The session could get freed while processing the
ioctl otherwise. Since pppol2tp_session_ioctl() uses the session's socket,
we also need to take a reference on it in l2tp_session_get().

Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 63a763d0
......@@ -1150,11 +1150,18 @@ static int pppol2tp_tunnel_ioctl(struct l2tp_tunnel *tunnel,
if (stats.session_id != 0) {
/* resend to session ioctl handler */
struct l2tp_session *session =
l2tp_session_find(sock_net(sk), tunnel, stats.session_id);
if (session != NULL)
err = pppol2tp_session_ioctl(session, cmd, arg);
else
l2tp_session_get(sock_net(sk), tunnel,
stats.session_id, true);
if (session) {
err = pppol2tp_session_ioctl(session, cmd,
arg);
if (session->deref)
session->deref(session);
l2tp_session_dec_refcount(session);
} else {
err = -EBADR;
}
break;
}
#ifdef CONFIG_XFRM
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment