summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorGuillaume Nault <g.nault@alphalink.fr>2013-03-01 05:02:02 +0000
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-03-20 13:05:01 -0700
commit136d76de5b72b4a45eec80e4e5ee14f397aa1fed (patch)
tree80fb7a9d156401590fa78da5bc35d9ea80b8713c /net
parent0530082c3595511fa2bfc1434a5ad809e5ec90a3 (diff)
downloadlinux-3.10-136d76de5b72b4a45eec80e4e5ee14f397aa1fed.tar.gz
linux-3.10-136d76de5b72b4a45eec80e4e5ee14f397aa1fed.tar.bz2
linux-3.10-136d76de5b72b4a45eec80e4e5ee14f397aa1fed.zip
l2tp: Restore socket refcount when sendmsg succeeds
[ Upstream commit 8b82547e33e85fc24d4d172a93c796de1fefa81a ] The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket reference counter after successful transmissions. Any successful sendmsg() call from userspace will then increase the reference counter forever, thus preventing the kernel's session and tunnel data from being freed later on. The problem only happens when writing directly on L2TP sockets. PPP sockets attached to L2TP are unaffected as the PPP subsystem uses pppol2tp_xmit() which symmetrically increase/decrease reference counters. This patch adds the missing call to sock_put() before returning from pppol2tp_sendmsg(). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
-rw-r--r--net/l2tp/l2tp_ppp.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 1addd9f3f40..9728a7564a7 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -360,6 +360,7 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
l2tp_xmit_skb(session, skb, session->hdr_len);
sock_put(ps->tunnel_sock);
+ sock_put(sk);
return error;