diff options
| author | Guillaume Nault <g.nault@alphalink.fr> | 2013-03-01 05:02:02 +0000 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2013-03-01 14:13:09 -0500 |
| commit | 8b82547e33e85fc24d4d172a93c796de1fefa81a (patch) | |
| tree | 549b58a0e731a1aa6a028c0200d065c125a1080d /net/l2tp | |
| parent | 32fcafbcd1c9f6c7013016a22a5369b4acb93577 (diff) | |
| download | linux-8b82547e33e85fc24d4d172a93c796de1fefa81a.tar.gz | |
l2tp: Restore socket refcount when sendmsg succeeds
The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket reference counter after successful transmissions. Any successful sendmsg() call from userspace will then increase the reference counter forever, thus preventing the kernel's session and tunnel data from being freed later on. The problem only happens when writing directly on L2TP sockets. PPP sockets attached to L2TP are unaffected as the PPP subsystem uses pppol2tp_xmit() which symmetrically increase/decrease reference counters. This patch adds the missing call to sock_put() before returning from pppol2tp_sendmsg(). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/l2tp')
| -rw-r--r-- | net/l2tp/l2tp_ppp.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index 3f4e3afc191a..6a53371dba1f 100644 --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -355,6 +355,7 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh l2tp_xmit_skb(session, skb, session->hdr_len); sock_put(ps->tunnel_sock); + sock_put(sk); return error; |