Re: [PATCH] l2tp: Fix a UDP socket reference count bug in the pppol2tp driver

[PATCH] l2tp: Fix a UDP socket reference count bug in the pppol2tp driver · James Chapman <jchapman@katalix.com> · 2010-01-21
Re: [PATCH] l2tp: Fix a UDP socket reference count bug in the pppol2tp driver · David Miller <davem@davemloft.net> · 2010-01-23
Re: [PATCH] l2tp: Fix a UDP socket reference count bug in the pppol2tp driver · James Chapman <jchapman@katalix.com> · 2010-01-27
Re: [PATCH] l2tp: Fix a UDP socket reference count bug in the pppol2tp driver · David Miller <davem@davemloft.net> · 2010-01-28
Re: [PATCH] l2tp: Fix a UDP socket reference count bug in the pppol2tp driver · James Chapman <jchapman@katalix.com> · 2010-02-11
Re: [PATCH] l2tp: Fix a UDP socket reference count bug in the pppol2tp driver · David Miller <davem@davemloft.net> · 2010-02-11

From: David Miller <davem@davemloft.net>
Date: 2010-01-23 09:55:00

From: James Chapman <jchapman@katalix.com>
Date: Thu, 21 Jan 2010 16:10:09 +0000

The bug can cause a kernel stack trace when a tunnel socket is closed.

WARNING: at include/net/sock.h:435 udp_lib_unhash+0x117/0x120()
Pid: 1086, comm: openl2tpd Not tainted 2.6.33-rc1 #8
Call Trace:

This fix doesn't look right at all.

You grab one reference in connect() and then drop a reference
every single recvmsg() call.

recvmsg() calls to connect() would be many to one, so I can't
see how this reference counting scheme could possibly work.

Why don't you describe the exact sequence of events that lead
to the trace, so we can figure out how to correct this
properly?

Thanks.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help