* [PATCH v1 net] l2tp: Fix memleak in l2tp_udp_encap_recv().
@ 2026-01-13 18:54 Kuniyuki Iwashima
2026-01-13 19:13 ` Guillaume Nault
2026-01-16 4:00 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Kuniyuki Iwashima @ 2026-01-13 18:54 UTC (permalink / raw)
To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, Samuel Thibault, Kuniyuki Iwashima,
Kuniyuki Iwashima, netdev, syzbot+2c42ea4485b29beb0643
syzbot reported memleak of struct l2tp_session, l2tp_tunnel,
sock, etc. [0]
The cited commit moved down the validation of the protocol
version in l2tp_udp_encap_recv().
The new place requires an extra error handling to avoid the
memleak.
Let's call l2tp_session_put() there.
[0]:
BUG: memory leak
unreferenced object 0xffff88810a290200 (size 512):
comm "syz.0.17", pid 6086, jiffies 4294944299
hex dump (first 32 bytes):
7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc babb6a4f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778
pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755
__sys_connect_file+0x7a/0xb0 net/socket.c:2089
__sys_connect+0xde/0x110 net/socket.c:2108
__do_sys_connect net/socket.c:2114 [inline]
__se_sys_connect net/socket.c:2111 [inline]
__x64_sys_connect+0x1c/0x30 net/socket.c:2111
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 364798056f518 ("l2tp: Support different protocol versions with same IP/port quadruple")
Reported-by: syzbot+2c42ea4485b29beb0643@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/696693f2.a70a0220.245e30.0001.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
net/l2tp/l2tp_core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 687c1366a4d0f..70335667ef037 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1086,8 +1086,10 @@ int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
tunnel = session->tunnel;
/* Check protocol version */
- if (version != tunnel->version)
+ if (version != tunnel->version) {
+ l2tp_session_put(session);
goto invalid;
+ }
if (version == L2TP_HDR_VER_3 &&
l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
--
2.52.0.457.g6b5491de43-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v1 net] l2tp: Fix memleak in l2tp_udp_encap_recv().
2026-01-13 18:54 [PATCH v1 net] l2tp: Fix memleak in l2tp_udp_encap_recv() Kuniyuki Iwashima
@ 2026-01-13 19:13 ` Guillaume Nault
2026-01-16 4:00 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Guillaume Nault @ 2026-01-13 19:13 UTC (permalink / raw)
To: Kuniyuki Iwashima
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Samuel Thibault, Kuniyuki Iwashima, netdev,
syzbot+2c42ea4485b29beb0643
On Tue, Jan 13, 2026 at 06:54:44PM +0000, Kuniyuki Iwashima wrote:
> syzbot reported memleak of struct l2tp_session, l2tp_tunnel,
> sock, etc. [0]
>
> The cited commit moved down the validation of the protocol
> version in l2tp_udp_encap_recv().
>
> The new place requires an extra error handling to avoid the
> memleak.
>
> Let's call l2tp_session_put() there.
Reviewed-by: Guillaume Nault <gnault@redhat.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v1 net] l2tp: Fix memleak in l2tp_udp_encap_recv().
2026-01-13 18:54 [PATCH v1 net] l2tp: Fix memleak in l2tp_udp_encap_recv() Kuniyuki Iwashima
2026-01-13 19:13 ` Guillaume Nault
@ 2026-01-16 4:00 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-01-16 4:00 UTC (permalink / raw)
To: Kuniyuki Iwashima
Cc: davem, edumazet, kuba, pabeni, horms, samuel.thibault, kuni1840,
netdev, syzbot+2c42ea4485b29beb0643
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Tue, 13 Jan 2026 18:54:44 +0000 you wrote:
> syzbot reported memleak of struct l2tp_session, l2tp_tunnel,
> sock, etc. [0]
>
> The cited commit moved down the validation of the protocol
> version in l2tp_udp_encap_recv().
>
> The new place requires an extra error handling to avoid the
> memleak.
>
> [...]
Here is the summary with links:
- [v1,net] l2tp: Fix memleak in l2tp_udp_encap_recv().
https://git.kernel.org/netdev/net/c/4d10edfd1475
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-01-16 4:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-13 18:54 [PATCH v1 net] l2tp: Fix memleak in l2tp_udp_encap_recv() Kuniyuki Iwashima
2026-01-13 19:13 ` Guillaume Nault
2026-01-16 4:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox