On 8/13/19 6:01 PM, Tung Nguyen wrote:
> When tipc_sk_timeout() is executed but user space is grabbing
> ownership, this function rearms itself and returns. However, the
> socket reference counter is not reduced. This causes potential
> unexpected behavior.
>
> This commit fixes it by calling sock_put() before tipc_sk_timeout()
> returns in the above-mentioned case.
>
> Fixes: afe8792fec69 ("tipc: refactor function tipc_sk_timeout()")
> Signed-off-by: Tung Nguyen <tung.q.ngu...@dektech.com.au>
Acked-by: Ying Xue <ying....@windriver.com>
> ---
> net/tipc/socket.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/tipc/socket.c b/net/tipc/socket.c
> index dcb8b6082757..9fd9a5727786 100644
> --- a/net/tipc/socket.c
> +++ b/net/tipc/socket.c
> @@ -2683,6 +2683,7 @@ static void tipc_sk_timeout(struct timer_list *t)
> if (sock_owned_by_user(sk)) {
> sk_reset_timer(sk, &sk->sk_timer, jiffies + HZ / 20);
> bh_unlock_sock(sk);
> + sock_put(sk);
> return;
> }
>
>
_______________________________________________
tipc-discussion mailing list
tipc-discussion@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tipc-discussion
