[PATCH] l2tp: Restore socket refcount when sendmsg succeeds

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Guillaume Nault <g.nault@alphalink.fr>
To: James Chapman <jchapman@katalix.com>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH] l2tp: Restore socket refcount when sendmsg succeeds
Date: Fri, 1 Mar 2013 16:02:02 +0100	[thread overview]
Message-ID: <20130301150202.GA3649@alphalink.fr> (raw)

The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
reference counter after successful transmissions. Any successful
sendmsg() call from userspace will then increase the reference counter
forever, thus preventing the kernel's session and tunnel data from
being freed later on.

The problem only happens when writing directly on L2TP sockets.
PPP sockets attached to L2TP are unaffected as the PPP subsystem
uses pppol2tp_xmit() which symmetrically increase/decrease reference
counters.

This patch adds the missing call to sock_put() before returning from
pppol2tp_sendmsg().

Cc: <stable@vger.kernel.org>
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
---
 net/l2tp/l2tp_ppp.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 3f4e3af..6a53371 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -355,6 +355,7 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
 	l2tp_xmit_skb(session, skb, session->hdr_len);

 	sock_put(ps->tunnel_sock);
+	sock_put(sk);

 	return error;

-- 
1.7.10.4

next             reply	other threads:[~2013-03-01 15:02 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-01 15:02 Guillaume Nault [this message]
2013-03-01 19:12 ` [PATCH] l2tp: Restore socket refcount when sendmsg succeeds David Miller
2013-03-12 10:36   ` Guillaume Nault
2013-03-12 14:21     ` David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:3f4e3af dfblob:6a53371 )
 OR (
bs:"[PATCH] l2tp: Restore socket refcount when sendmsg succeeds" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130301150202.GA3649@alphalink.fr \
    --to=g.nault@alphalink.fr \
    --cc=davem@davemloft.net \
    --cc=jchapman@katalix.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).