On 8/13/19 6:01 PM, Tung Nguyen wrote: > When tipc_sk_timeout() is executed but user space is grabbing > ownership, this function rearms itself and returns. However, the > socket reference counter is not reduced. This causes potential > unexpected behavior. > > This commit fixes it by calling sock_put() before tipc_sk_timeout() > returns in the above-mentioned case. > > Fixes: afe8792fec69 ("tipc: refactor function tipc_sk_timeout()") > Signed-off-by: Tung Nguyen <tung.q.ngu...@dektech.com.au>
Acked-by: Ying Xue <ying....@windriver.com> > --- > net/tipc/socket.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/tipc/socket.c b/net/tipc/socket.c > index dcb8b6082757..9fd9a5727786 100644 > --- a/net/tipc/socket.c > +++ b/net/tipc/socket.c > @@ -2683,6 +2683,7 @@ static void tipc_sk_timeout(struct timer_list *t) > if (sock_owned_by_user(sk)) { > sk_reset_timer(sk, &sk->sk_timer, jiffies + HZ / 20); > bh_unlock_sock(sk); > + sock_put(sk); > return; > } > > _______________________________________________ tipc-discussion mailing list tipc-discussion@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tipc-discussion