| From cf84ca69d27e7ce3609ac3b2e9fa09093839b18c Mon Sep 17 00:00:00 2001 |
| From: Tung Nguyen <tung.q.nguyen@dektech.com.au> |
| Date: Thu, 28 Nov 2019 10:10:06 +0700 |
| Subject: [PATCH] tipc: fix wrong socket reference counter after |
| tipc_sk_timeout() returns |
| |
| commit 91a4a3eb433e4d786420c41f3c08d1d16c605962 upstream. |
| |
| When tipc_sk_timeout() is executed but user space is grabbing |
| ownership, this function rearms itself and returns. However, the |
| socket reference counter is not reduced. This causes potential |
| unexpected behavior. |
| |
| This commit fixes it by calling sock_put() before tipc_sk_timeout() |
| returns in the above-mentioned case. |
| |
| Fixes: afe8792fec69 ("tipc: refactor function tipc_sk_timeout()") |
| Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au> |
| Acked-by: Ying Xue <ying.xue@windriver.com> |
| Acked-by: Jon Maloy <jon.maloy@ericsson.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/tipc/socket.c b/net/tipc/socket.c |
| index 911e14fcf118..cc89d4142ecb 100644 |
| --- a/net/tipc/socket.c |
| +++ b/net/tipc/socket.c |
| @@ -2687,6 +2687,7 @@ static void tipc_sk_timeout(struct timer_list *t) |
| if (sock_owned_by_user(sk)) { |
| sk_reset_timer(sk, &sk->sk_timer, jiffies + HZ / 20); |
| bh_unlock_sock(sk); |
| + sock_put(sk); |
| return; |
| } |
| |
| -- |
| 2.7.4 |
| |
