linux-sg2042/drivers
James Chapman c3259c8a70 l2tp: Fix UDP socket reference count bugs in the pppol2tp driver
This patch fixes UDP socket refcnt bugs in the pppol2tp driver.

A bug can cause a kernel stack trace when a tunnel socket is closed.

A way to reproduce the issue is to prepare the UDP socket for L2TP (by
opening a tunnel pppol2tp socket) and then close it before any L2TP
sessions are added to it. The sequence is

Create UDP socket
Create tunnel pppol2tp socket to prepare UDP socket for L2TP
  pppol2tp_connect: session_id=0, peer_session_id=0
L2TP SCCRP control frame received (tunnel_id==0)
  pppol2tp_recv_core: sock_hold()
  pppol2tp_recv_core: sock_put
L2TP ZLB control frame received (tunnel_id=nnn)
  pppol2tp_recv_core: sock_hold()
  pppol2tp_recv_core: sock_put
Close tunnel management socket
  pppol2tp_release: session_id=0, peer_session_id=0
Close UDP socket
  udp_lib_close: BUG

The addition of sock_hold() in pppol2tp_connect() solves the problem.

For data frames, two sock_put() calls were added to plug a refcnt leak
per received data frame. The ref that is grabbed at the top of
pppol2tp_recv_core() must always be released, but this wasn't done for
accepted data frames or data frames discarded because of bad UDP
checksums. This leak meant that any UDP socket that had passed L2TP
data traffic (i.e. L2TP data frames, not just L2TP control frames)
using pppol2tp would not be released by the kernel.

WARNING: at include/net/sock.h:435 udp_lib_unhash+0x117/0x120()
Pid: 1086, comm: openl2tpd Not tainted 2.6.33-rc1 #8
Call Trace:
 [<c119e9b7>] ? udp_lib_unhash+0x117/0x120
 [<c101b871>] ? warn_slowpath_common+0x71/0xd0
 [<c119e9b7>] ? udp_lib_unhash+0x117/0x120
 [<c101b8e3>] ? warn_slowpath_null+0x13/0x20
 [<c119e9b7>] ? udp_lib_unhash+0x117/0x120
 [<c11598a7>] ? sk_common_release+0x17/0x90
 [<c11a5e33>] ? inet_release+0x33/0x60
 [<c11577b0>] ? sock_release+0x10/0x60
 [<c115780f>] ? sock_close+0xf/0x30
 [<c106e542>] ? __fput+0x52/0x150
 [<c106b68e>] ? filp_close+0x3e/0x70
 [<c101d2e2>] ? put_files_struct+0x62/0xb0
 [<c101eaf7>] ? do_exit+0x5e7/0x650
 [<c1081623>] ? mntput_no_expire+0x13/0x70
 [<c106b68e>] ? filp_close+0x3e/0x70
 [<c101eb8a>] ? do_group_exit+0x2a/0x70
 [<c101ebe1>] ? sys_exit_group+0x11/0x20
 [<c10029b0>] ? sysenter_do_call+0x12/0x26

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-03-16 14:15:44 -07:00
..
accessibility
acpi Merge branches 'battery-2.6.34', 'bugzilla-10805', 'bugzilla-14668', 'bugzilla-531916-power-state', 'ht-warn-2.6.34', 'pnp', 'processor-rename', 'sony-2.6.34', 'suse-bugzilla-531547', 'tz-check', 'video' and 'misc-2.6.34' into release 2010-03-14 21:30:17 -04:00
amba
ata Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
atm atm: use for_each_set_bit() 2010-03-15 16:00:47 -07:00
auxdisplay auxdisplay: move cfag12864bfb's probe function to .devinit.text 2010-03-07 17:04:50 -08:00
base Driver core: create lock/unlock functions for struct device 2010-03-07 17:04:52 -08:00
block Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
bluetooth Bluetooth: Convert Marvell driver to use per adapter debugfs 2010-02-27 14:05:38 +01:00
cdrom block: Consolidate phys_segment and hw_segment limits 2010-02-26 13:58:08 +01:00
char Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2010-03-13 14:45:49 -08:00
clocksource MFGPT: move clocksource menu 2010-03-06 11:26:28 -08:00
connector
cpufreq Driver core: Constify struct sysfs_ops in struct kobj_type 2010-03-07 17:04:49 -08:00
cpuidle Driver core: Constify struct sysfs_ops in struct kobj_type 2010-03-07 17:04:49 -08:00
crypto Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
dca
dio
dma Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
edac edac: e752x: add dram scrubbing support 2010-03-12 15:52:40 -08:00
eisa eisa: fix coding style for eisa bus code 2010-03-06 11:26:32 -08:00
firewire Driver core: create lock/unlock functions for struct device 2010-03-07 17:04:52 -08:00
firmware Driver core: Constify struct sysfs_ops in struct kobj_type 2010-03-07 17:04:49 -08:00
gpio driver-core: Add attribute argument to class_attribute show/store 2010-03-07 17:04:48 -08:00
gpu Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
hid Input: scancode in get/set_keycodes should be unsigned 2010-03-08 23:19:15 -08:00
hwmon Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging 2010-03-06 11:33:09 -08:00
i2c Add include to i2c-xii.c to fix build error 2010-03-14 11:14:58 -07:00
ide Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide-next-2.6 2010-03-04 08:24:06 -08:00
idle
ieee1394 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
ieee802154
infiniband Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband 2010-03-13 14:38:31 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2010-03-14 11:13:54 -07:00
isdn gigaset: correct range checking off by one error 2010-03-16 14:15:41 -07:00
leds led: Enable led in 88pm860x 2010-03-07 22:17:05 +01:00
lguest
macintosh powerpc: Fix G5 thermal shutdown 2010-03-09 11:55:27 +11:00
mca
md Driver core: Constify struct sysfs_ops in struct kobj_type 2010-03-07 17:04:49 -08:00
media Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2010-03-14 11:13:54 -07:00
memstick block: Consolidate phys_segment and hw_segment limits 2010-02-26 13:58:08 +01:00
message Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
mfd Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6 2010-03-12 16:41:09 -08:00
misc init dynamic bin_attribute structures 2010-03-14 20:28:39 -07:00
mmc Merge branch 'msm-mmc_sdcc' of git://codeaurora.org/quic/kernel/dwalker/linux-msm 2010-03-12 16:21:24 -08:00
mtd Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
net l2tp: Fix UDP socket reference count bugs in the pppol2tp driver 2010-03-16 14:15:44 -07:00
nubus
of
oprofile
parisc Driver core: Constify struct sysfs_ops in struct kobj_type 2010-03-07 17:04:49 -08:00
parport Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
pci Merge branches 'battery-2.6.34', 'bugzilla-10805', 'bugzilla-14668', 'bugzilla-531916-power-state', 'ht-warn-2.6.34', 'pnp', 'processor-rename', 'sony-2.6.34', 'suse-bugzilla-531547', 'tz-check', 'video' and 'misc-2.6.34' into release 2010-03-14 21:30:17 -04:00
pcmcia Merge branch 'for-linus' of master.kernel.org:/home/rmk/linux-2.6-arm 2010-03-12 16:00:54 -08:00
platform Merge branches 'battery-2.6.34', 'bugzilla-10805', 'bugzilla-14668', 'bugzilla-531916-power-state', 'ht-warn-2.6.34', 'pnp', 'processor-rename', 'sony-2.6.34', 'suse-bugzilla-531547', 'tz-check', 'video' and 'misc-2.6.34' into release 2010-03-14 21:30:17 -04:00
pnp PNPACPI: add bus number support 2010-03-14 20:08:38 -04:00
power Merge branches 'battery-2.6.34', 'bugzilla-10805', 'bugzilla-14668', 'bugzilla-531916-power-state', 'ht-warn-2.6.34', 'pnp', 'processor-rename', 'sony-2.6.34', 'suse-bugzilla-531547', 'tz-check', 'video' and 'misc-2.6.34' into release 2010-03-14 21:30:17 -04:00
pps pps: serial clients support 2010-03-12 15:52:43 -08:00
ps3
rapidio
regulator regulator: Add max8925 support 2010-03-07 22:17:08 +01:00
rtc init dynamic bin_attribute structures 2010-03-14 20:28:39 -07:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-03-13 14:50:18 -08:00
sbus
scsi Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6 2010-03-13 21:29:38 -08:00
serial Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
sfi
sh Merge branch 'origin' into devel-stable 2010-03-08 20:21:04 +00:00
sn
spi Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
ssb
staging driver core: Convert some drivers to CLASS_ATTR_STRING 2010-03-07 17:04:48 -08:00
tc
telephony
thermal
uio UIO: Remove SMX Cryptengine driver 2010-03-07 17:04:51 -08:00
usb Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
uwb Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
vhost vhost-net: restart tx poll on sk_sndbuf full 2010-02-28 19:50:33 +02:00
video Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6 2010-03-13 21:29:38 -08:00
virtio virtio: set pci bus master enable bit 2010-03-02 13:41:14 +02:00
vlynq
w1 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
watchdog [WATCHDOG] i6300esb.c: change platform_driver to pci_driver 2010-03-08 13:48:01 +00:00
xen Driver core: Constify struct sysfs_ops in struct kobj_type 2010-03-07 17:04:49 -08:00
zorro
Kconfig MFGPT: move clocksource menu 2010-03-06 11:26:28 -08:00
Makefile Merge branch 'origin' into devel-stable 2010-03-08 20:21:04 +00:00