[PATCH 3.16 160/294] l2tp: hold tunnel while handling genl TUNNEL_GET commands

2017-11-06 Thread Ben Hutchings 
3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guillaume Nault 

commit 4e4b21da3acc68a7ea55f850cacc13706b7480e9 upstream.

Use l2tp_tunnel_get() instead of l2tp_tunnel_find() so that we get
a reference on the tunnel, preventing l2tp_tunnel_destruct() from
freeing it from under us.

Also move l2tp_tunnel_get() below nlmsg_new() so that we only take
the reference when needed.

Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_netlink.c | 27 +++
 1 file changed, 15 insertions(+), 12 deletions(-)

--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -349,34 +349,37 @@ static int l2tp_nl_cmd_tunnel_get(struct
 
if (!info->attrs[L2TP_ATTR_CONN_ID]) {
ret = -EINVAL;
-   goto out;
+   goto err;
}
 
tunnel_id = nla_get_u32(info->attrs[L2TP_ATTR_CONN_ID]);
 
-   tunnel = l2tp_tunnel_find(net, tunnel_id);
-   if (tunnel == NULL) {
-   ret = -ENODEV;
-   goto out;
-   }
-
msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (!msg) {
ret = -ENOMEM;
-   goto out;
+   goto err;
+   }
+
+   tunnel = l2tp_tunnel_get(net, tunnel_id);
+   if (!tunnel) {
+   ret = -ENODEV;
+   goto err_nlmsg;
}
 
ret = l2tp_nl_tunnel_send(msg, info->snd_portid, info->snd_seq,
  NLM_F_ACK, tunnel);
if (ret < 0)
-   goto err_out;
+   goto err_nlmsg_tunnel;
+
+   l2tp_tunnel_dec_refcount(tunnel);
 
return genlmsg_unicast(net, msg, info->snd_portid);
 
-err_out:
+err_nlmsg_tunnel:
+   l2tp_tunnel_dec_refcount(tunnel);
+err_nlmsg:
nlmsg_free(msg);
-
-out:
+err:
return ret;
 }

[PATCH 3.16 160/294] l2tp: hold tunnel while handling genl TUNNEL_GET commands

2017-11-06 Thread Ben Hutchings 
3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guillaume Nault 

commit 4e4b21da3acc68a7ea55f850cacc13706b7480e9 upstream.

Use l2tp_tunnel_get() instead of l2tp_tunnel_find() so that we get
a reference on the tunnel, preventing l2tp_tunnel_destruct() from
freeing it from under us.

Also move l2tp_tunnel_get() below nlmsg_new() so that we only take
the reference when needed.

Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_netlink.c | 27 +++
 1 file changed, 15 insertions(+), 12 deletions(-)

--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -349,34 +349,37 @@ static int l2tp_nl_cmd_tunnel_get(struct
 
if (!info->attrs[L2TP_ATTR_CONN_ID]) {
ret = -EINVAL;
-   goto out;
+   goto err;
}
 
tunnel_id = nla_get_u32(info->attrs[L2TP_ATTR_CONN_ID]);
 
-   tunnel = l2tp_tunnel_find(net, tunnel_id);
-   if (tunnel == NULL) {
-   ret = -ENODEV;
-   goto out;
-   }
-
msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (!msg) {
ret = -ENOMEM;
-   goto out;
+   goto err;
+   }
+
+   tunnel = l2tp_tunnel_get(net, tunnel_id);
+   if (!tunnel) {
+   ret = -ENODEV;
+   goto err_nlmsg;
}
 
ret = l2tp_nl_tunnel_send(msg, info->snd_portid, info->snd_seq,
  NLM_F_ACK, tunnel);
if (ret < 0)
-   goto err_out;
+   goto err_nlmsg_tunnel;
+
+   l2tp_tunnel_dec_refcount(tunnel);
 
return genlmsg_unicast(net, msg, info->snd_portid);
 
-err_out:
+err_nlmsg_tunnel:
+   l2tp_tunnel_dec_refcount(tunnel);
+err_nlmsg:
nlmsg_free(msg);
-
-out:
+err:
return ret;
 }