Skip to content

Commit

Permalink
l2tp: Restore socket refcount when sendmsg succeeds
Browse files Browse the repository at this point in the history 
[ Upstream commit 8b82547 ]

The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
reference counter after successful transmissions. Any successful
sendmsg() call from userspace will then increase the reference counter
forever, thus preventing the kernel's session and tunnel data from
being freed later on.

The problem only happens when writing directly on L2TP sockets.
PPP sockets attached to L2TP are unaffected as the PPP subsystem
uses pppol2tp_xmit() which symmetrically increase/decrease reference
counters.

This patch adds the missing call to sock_put() before returning from
pppol2tp_sendmsg().

Signed-off-by: Guillaume Nault <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
  • Loading branch information
@bwhacks
Guillaume Nault authored and bwhacks committed Mar 27, 2013
1 parent 9deb93c commit ba5c1a5
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/l2tp/l2tp_ppp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -360,6 +360,7 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
l2tp_xmit_skb(session, skb, session->hdr_len);

sock_put(ps->tunnel_sock);
sock_put(sk);

return error;

Expand Down

0 comments on commit ba5c1a5

Please sign in to comment.