diff options
author | Guillaume Nault <g.nault@alphalink.fr> | 2013-03-01 05:02:02 +0000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-03-20 13:05:01 -0700 |
commit | 136d76de5b72b4a45eec80e4e5ee14f397aa1fed (patch) | |
tree | 80fb7a9d156401590fa78da5bc35d9ea80b8713c /net | |
parent | 0530082c3595511fa2bfc1434a5ad809e5ec90a3 (diff) | |
download | linux-3.10-136d76de5b72b4a45eec80e4e5ee14f397aa1fed.tar.gz linux-3.10-136d76de5b72b4a45eec80e4e5ee14f397aa1fed.tar.bz2 linux-3.10-136d76de5b72b4a45eec80e4e5ee14f397aa1fed.zip |
l2tp: Restore socket refcount when sendmsg succeeds
[ Upstream commit 8b82547e33e85fc24d4d172a93c796de1fefa81a ]
The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
reference counter after successful transmissions. Any successful
sendmsg() call from userspace will then increase the reference counter
forever, thus preventing the kernel's session and tunnel data from
being freed later on.
The problem only happens when writing directly on L2TP sockets.
PPP sockets attached to L2TP are unaffected as the PPP subsystem
uses pppol2tp_xmit() which symmetrically increase/decrease reference
counters.
This patch adds the missing call to sock_put() before returning from
pppol2tp_sendmsg().
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/l2tp/l2tp_ppp.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index 1addd9f3f40..9728a7564a7 100644 --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -360,6 +360,7 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh l2tp_xmit_skb(session, skb, session->hdr_len); sock_put(ps->tunnel_sock); + sock_put(sk); return error; |