git.ipfire.org Git - thirdparty/linux.git/commit

author	Kuniyuki Iwashima <kuniyu@google.com>
	Thu, 23 Oct 2025 23:16:50 +0000 (23:16 +0000)
committer	Jakub Kicinski <kuba@kernel.org>
	Tue, 28 Oct 2025 01:04:56 +0000 (18:04 -0700)
commit	622e8838a29845316668ec2e7648428878df7f9a
tree	40d1d943eadf8e382b14a9503393e32c97d25369	tree \| snapshot
parent	8b2ee2df6a324b6071de26bd708835f2f5ef85eb	commit \| diff

sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock().

SCTP_DBG_OBJCNT_INC() is called only when sctp_init_sock()
returns 0 after successfully allocating sctp_sk(sk)->ep.

OTOH, SCTP_DBG_OBJCNT_DEC() is called in sctp_close().

The code seems to expect that the socket is always exposed
to userspace once SCTP_DBG_OBJCNT_INC() is incremented, but
there is a path where the assumption is not true.

In sctp_accept(), sctp_sock_migrate() could fail after
sctp_init_sock().

Then, sk_common_release() does not call inet_release() nor
sctp_close(). Instead, it calls sk->sk_prot->destroy().

Let's move SCTP_DBG_OBJCNT_DEC() from sctp_close() to
sctp_destroy_sock().

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20251023231751.4168390-2-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>