releases/3.2.95/l2tp-hold-tunnel-while-handling-genl-tunnel_get-commands.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Guillaume Nault <g.nault@alphalink.fr>
 Date: Fri, 25 Aug 2017 16:51:43 +0200
 Subject: l2tp: hold tunnel while handling genl TUNNEL_GET commands

 commit 4e4b21da3acc68a7ea55f850cacc13706b7480e9 upstream.

 Use l2tp_tunnel_get() instead of l2tp_tunnel_find() so that we get
 a reference on the tunnel, preventing l2tp_tunnel_destruct() from
 freeing it from under us.

 Also move l2tp_tunnel_get() below nlmsg_new() so that we only take
 the reference when needed.

 Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 [bwh: Backported to 3.2: adjust context]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  net/l2tp/l2tp_netlink.c | 27 +++++++++++++++------------
  1 file changed, 15 insertions(+), 12 deletions(-)

 --- a/net/l2tp/l2tp_netlink.c
 +++ b/net/l2tp/l2tp_netlink.c
 @@ -295,34 +295,37 @@ static int l2tp_nl_cmd_tunnel_get(struct

  	if (!info->attrs[L2TP_ATTR_CONN_ID]) {
  		ret = -EINVAL;
 -		goto out;
 +		goto err;
  	}

  	tunnel_id = nla_get_u32(info->attrs[L2TP_ATTR_CONN_ID]);

 -	tunnel = l2tp_tunnel_find(net, tunnel_id);
 -	if (tunnel == NULL) {
 -		ret = -ENODEV;
 -		goto out;
 -	}
 -
  	msg = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
  	if (!msg) {
  		ret = -ENOMEM;
 -		goto out;
 +		goto err;
 +	}
 +
 +	tunnel = l2tp_tunnel_get(net, tunnel_id);
 +	if (!tunnel) {
 +		ret = -ENODEV;
 +		goto err_nlmsg;
  	}

  	ret = l2tp_nl_tunnel_send(msg, info->snd_pid, info->snd_seq,
  				  NLM_F_ACK, tunnel);
  	if (ret < 0)
 -		goto err_out;
 +		goto err_nlmsg_tunnel;
 +
 +	l2tp_tunnel_dec_refcount(tunnel);

  	return genlmsg_unicast(net, msg, info->snd_pid);

 -err_out:
 +err_nlmsg_tunnel:
 +	l2tp_tunnel_dec_refcount(tunnel);
 +err_nlmsg:
  	nlmsg_free(msg);
 -
 -out:
 +err:
  	return ret;
  }
	From: Guillaume Nault <g.nault@alphalink.fr>
	Date: Fri, 25 Aug 2017 16:51:43 +0200
	Subject: l2tp: hold tunnel while handling genl TUNNEL_GET commands

	commit 4e4b21da3acc68a7ea55f850cacc13706b7480e9 upstream.

	Use l2tp_tunnel_get() instead of l2tp_tunnel_find() so that we get
	a reference on the tunnel, preventing l2tp_tunnel_destruct() from
	freeing it from under us.

	Also move l2tp_tunnel_get() below nlmsg_new() so that we only take
	the reference when needed.

	Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
	Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	[bwh: Backported to 3.2: adjust context]
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	net/l2tp/l2tp_netlink.c \| 27 +++++++++++++++------------
	1 file changed, 15 insertions(+), 12 deletions(-)

	--- a/net/l2tp/l2tp_netlink.c
	+++ b/net/l2tp/l2tp_netlink.c
	@@ -295,34 +295,37 @@ static int l2tp_nl_cmd_tunnel_get(struct

	if (!info->attrs[L2TP_ATTR_CONN_ID]) {
	ret = -EINVAL;
	- goto out;
	+ goto err;
	}

	tunnel_id = nla_get_u32(info->attrs[L2TP_ATTR_CONN_ID]);

	- tunnel = l2tp_tunnel_find(net, tunnel_id);
	- if (tunnel == NULL) {
	- ret = -ENODEV;
	- goto out;
	- }
	-
	msg = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
	if (!msg) {
	ret = -ENOMEM;
	- goto out;
	+ goto err;
	+ }
	+
	+ tunnel = l2tp_tunnel_get(net, tunnel_id);
	+ if (!tunnel) {
	+ ret = -ENODEV;
	+ goto err_nlmsg;
	}

	ret = l2tp_nl_tunnel_send(msg, info->snd_pid, info->snd_seq,
	NLM_F_ACK, tunnel);
	if (ret < 0)
	- goto err_out;
	+ goto err_nlmsg_tunnel;
	+
	+ l2tp_tunnel_dec_refcount(tunnel);

	return genlmsg_unicast(net, msg, info->snd_pid);

	-err_out:
	+err_nlmsg_tunnel:
	+ l2tp_tunnel_dec_refcount(tunnel);
	+err_nlmsg:
	nlmsg_free(msg);
	-
	-out:
	+err:
	return ret;
	}