summaryrefslogtreecommitdiffstats
path: root/net/handshake
diff options
context:
space:
mode:
authorChuck Lever <chuck.lever@oracle.com>2023-05-11 17:49:17 +0200
committerJakub Kicinski <kuba@kernel.org>2023-05-25 07:05:24 +0200
commit1ce77c998f0415d7d9d91cb9bd7665e25c8f75f1 (patch)
tree4aa126823dfac3da3854c0a2e9c2fe710da83e50 /net/handshake
parentnet/handshake: handshake_genl_notify() shouldn't ignore @flags (diff)
downloadlinux-1ce77c998f0415d7d9d91cb9bd7665e25c8f75f1.tar.xz
linux-1ce77c998f0415d7d9d91cb9bd7665e25c8f75f1.zip
net/handshake: Unpin sock->file if a handshake is cancelled
If user space never calls DONE, sock->file's reference count remains elevated. Enable sock->file to be freed eventually in this case. Reported-by: Jakub Kacinski <kuba@kernel.org> Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/handshake')
-rw-r--r--net/handshake/handshake.h1
-rw-r--r--net/handshake/request.c4
2 files changed, 5 insertions, 0 deletions
diff --git a/net/handshake/handshake.h b/net/handshake/handshake.h
index 4dac965c99df..8aeaadca844f 100644
--- a/net/handshake/handshake.h
+++ b/net/handshake/handshake.h
@@ -31,6 +31,7 @@ struct handshake_req {
struct list_head hr_list;
struct rhash_head hr_rhash;
unsigned long hr_flags;
+ struct file *hr_file;
const struct handshake_proto *hr_proto;
struct sock *hr_sk;
void (*hr_odestruct)(struct sock *sk);
diff --git a/net/handshake/request.c b/net/handshake/request.c
index 94d5cef3e048..d78d41abb3d9 100644
--- a/net/handshake/request.c
+++ b/net/handshake/request.c
@@ -239,6 +239,7 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req,
}
req->hr_odestruct = req->hr_sk->sk_destruct;
req->hr_sk->sk_destruct = handshake_sk_destruct;
+ req->hr_file = sock->file;
ret = -EOPNOTSUPP;
net = sock_net(req->hr_sk);
@@ -334,6 +335,9 @@ bool handshake_req_cancel(struct sock *sk)
return false;
}
+ /* Request accepted and waiting for DONE */
+ fput(req->hr_file);
+
out_true:
trace_handshake_cancel(net, req, sk);