| From: Guillaume Nault <g.nault@alphalink.fr> |
| Date: Fri, 1 Mar 2013 05:02:02 +0000 |
| Subject: l2tp: Restore socket refcount when sendmsg succeeds |
| |
| [ Upstream commit 8b82547e33e85fc24d4d172a93c796de1fefa81a ] |
| |
| The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket |
| reference counter after successful transmissions. Any successful |
| sendmsg() call from userspace will then increase the reference counter |
| forever, thus preventing the kernel's session and tunnel data from |
| being freed later on. |
| |
| The problem only happens when writing directly on L2TP sockets. |
| PPP sockets attached to L2TP are unaffected as the PPP subsystem |
| uses pppol2tp_xmit() which symmetrically increase/decrease reference |
| counters. |
| |
| This patch adds the missing call to sock_put() before returning from |
| pppol2tp_sendmsg(). |
| |
| Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| net/l2tp/l2tp_ppp.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/net/l2tp/l2tp_ppp.c |
| +++ b/net/l2tp/l2tp_ppp.c |
| @@ -360,6 +360,7 @@ static int pppol2tp_sendmsg(struct kiocb |
| l2tp_xmit_skb(session, skb, session->hdr_len); |
| |
| sock_put(ps->tunnel_sock); |
| + sock_put(sk); |
| |
| return error; |
| |
