kernel-fxtec-pro1x/drivers
James Chapman c3259c8a70 l2tp: Fix UDP socket reference count bugs in the pppol2tp driver
This patch fixes UDP socket refcnt bugs in the pppol2tp driver.

A bug can cause a kernel stack trace when a tunnel socket is closed.

A way to reproduce the issue is to prepare the UDP socket for L2TP (by
opening a tunnel pppol2tp socket) and then close it before any L2TP
sessions are added to it. The sequence is

Create UDP socket
Create tunnel pppol2tp socket to prepare UDP socket for L2TP
  pppol2tp_connect: session_id=0, peer_session_id=0
L2TP SCCRP control frame received (tunnel_id==0)
  pppol2tp_recv_core: sock_hold()
  pppol2tp_recv_core: sock_put
L2TP ZLB control frame received (tunnel_id=nnn)
  pppol2tp_recv_core: sock_hold()
  pppol2tp_recv_core: sock_put
Close tunnel management socket
  pppol2tp_release: session_id=0, peer_session_id=0
Close UDP socket
  udp_lib_close: BUG

The addition of sock_hold() in pppol2tp_connect() solves the problem.

For data frames, two sock_put() calls were added to plug a refcnt leak
per received data frame. The ref that is grabbed at the top of
pppol2tp_recv_core() must always be released, but this wasn't done for
accepted data frames or data frames discarded because of bad UDP
checksums. This leak meant that any UDP socket that had passed L2TP
data traffic (i.e. L2TP data frames, not just L2TP control frames)
using pppol2tp would not be released by the kernel.

WARNING: at include/net/sock.h:435 udp_lib_unhash+0x117/0x120()
Pid: 1086, comm: openl2tpd Not tainted 2.6.33-rc1 #8
Call Trace:
 [<c119e9b7>] ? udp_lib_unhash+0x117/0x120
 [<c101b871>] ? warn_slowpath_common+0x71/0xd0
 [<c119e9b7>] ? udp_lib_unhash+0x117/0x120
 [<c101b8e3>] ? warn_slowpath_null+0x13/0x20
 [<c119e9b7>] ? udp_lib_unhash+0x117/0x120
 [<c11598a7>] ? sk_common_release+0x17/0x90
 [<c11a5e33>] ? inet_release+0x33/0x60
 [<c11577b0>] ? sock_release+0x10/0x60
 [<c115780f>] ? sock_close+0xf/0x30
 [<c106e542>] ? __fput+0x52/0x150
 [<c106b68e>] ? filp_close+0x3e/0x70
 [<c101d2e2>] ? put_files_struct+0x62/0xb0
 [<c101eaf7>] ? do_exit+0x5e7/0x650
 [<c1081623>] ? mntput_no_expire+0x13/0x70
 [<c106b68e>] ? filp_close+0x3e/0x70
 [<c101eb8a>] ? do_group_exit+0x2a/0x70
 [<c101ebe1>] ? sys_exit_group+0x11/0x20
 [<c10029b0>] ? sysenter_do_call+0x12/0x26

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-03-16 14:15:44 -07:00
..
accessibility
acpi Merge branches 'battery-2.6.34', 'bugzilla-10805', 'bugzilla-14668', 'bugzilla-531916-power-state', 'ht-warn-2.6.34', 'pnp', 'processor-rename', 'sony-2.6.34', 'suse-bugzilla-531547', 'tz-check', 'video' and 'misc-2.6.34' into release 2010-03-14 21:30:17 -04:00
amba
ata Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
atm atm: use for_each_set_bit() 2010-03-15 16:00:47 -07:00
auxdisplay auxdisplay: move cfag12864bfb's probe function to .devinit.text 2010-03-07 17:04:50 -08:00
base Driver core: create lock/unlock functions for struct device 2010-03-07 17:04:52 -08:00
block Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
bluetooth
cdrom
char Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2010-03-13 14:45:49 -08:00
clocksource
connector
cpufreq
cpuidle
crypto Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
dca
dio
dma Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
edac edac: e752x: add dram scrubbing support 2010-03-12 15:52:40 -08:00
eisa
firewire Driver core: create lock/unlock functions for struct device 2010-03-07 17:04:52 -08:00
firmware
gpio
gpu Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
hid Input: scancode in get/set_keycodes should be unsigned 2010-03-08 23:19:15 -08:00
hwmon
i2c Add include to i2c-xii.c to fix build error 2010-03-14 11:14:58 -07:00
ide
idle
ieee1394 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
ieee802154
infiniband Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband 2010-03-13 14:38:31 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2010-03-14 11:13:54 -07:00
isdn gigaset: correct range checking off by one error 2010-03-16 14:15:41 -07:00
leds
lguest
macintosh powerpc: Fix G5 thermal shutdown 2010-03-09 11:55:27 +11:00
mca
md
media Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2010-03-14 11:13:54 -07:00
memstick
message Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
mfd Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6 2010-03-12 16:41:09 -08:00
misc init dynamic bin_attribute structures 2010-03-14 20:28:39 -07:00
mmc Merge branch 'msm-mmc_sdcc' of git://codeaurora.org/quic/kernel/dwalker/linux-msm 2010-03-12 16:21:24 -08:00
mtd Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
net l2tp: Fix UDP socket reference count bugs in the pppol2tp driver 2010-03-16 14:15:44 -07:00
nubus
of
oprofile
parisc
parport Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
pci Merge branches 'battery-2.6.34', 'bugzilla-10805', 'bugzilla-14668', 'bugzilla-531916-power-state', 'ht-warn-2.6.34', 'pnp', 'processor-rename', 'sony-2.6.34', 'suse-bugzilla-531547', 'tz-check', 'video' and 'misc-2.6.34' into release 2010-03-14 21:30:17 -04:00
pcmcia Merge branch 'for-linus' of master.kernel.org:/home/rmk/linux-2.6-arm 2010-03-12 16:00:54 -08:00
platform Merge branches 'battery-2.6.34', 'bugzilla-10805', 'bugzilla-14668', 'bugzilla-531916-power-state', 'ht-warn-2.6.34', 'pnp', 'processor-rename', 'sony-2.6.34', 'suse-bugzilla-531547', 'tz-check', 'video' and 'misc-2.6.34' into release 2010-03-14 21:30:17 -04:00
pnp PNPACPI: add bus number support 2010-03-14 20:08:38 -04:00
power Merge branches 'battery-2.6.34', 'bugzilla-10805', 'bugzilla-14668', 'bugzilla-531916-power-state', 'ht-warn-2.6.34', 'pnp', 'processor-rename', 'sony-2.6.34', 'suse-bugzilla-531547', 'tz-check', 'video' and 'misc-2.6.34' into release 2010-03-14 21:30:17 -04:00
pps pps: serial clients support 2010-03-12 15:52:43 -08:00
ps3
rapidio
regulator
rtc init dynamic bin_attribute structures 2010-03-14 20:28:39 -07:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-03-13 14:50:18 -08:00
sbus
scsi Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6 2010-03-13 21:29:38 -08:00
serial Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
sfi
sh Merge branch 'origin' into devel-stable 2010-03-08 20:21:04 +00:00
sn
spi Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
ssb
staging
tc
telephony
thermal
uio UIO: Remove SMX Cryptengine driver 2010-03-07 17:04:51 -08:00
usb Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
uwb Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
vhost
video Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6 2010-03-13 21:29:38 -08:00
virtio
vlynq
w1 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-03-12 16:04:50 -08:00
watchdog [WATCHDOG] i6300esb.c: change platform_driver to pci_driver 2010-03-08 13:48:01 +00:00
xen
zorro
Kconfig
Makefile Merge branch 'origin' into devel-stable 2010-03-08 20:21:04 +00:00