Patchwork [3.5.y.z,extended,stable] Patch "l2tp: Restore socket refcount when sendmsg succeeds" has been added to staging queue

login
register
mail settings
Submitter Luis Henriques
Date March 20, 2013, 10:43 a.m.
Message ID <1363776239-5253-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/229331/
State New
Headers show

Comments

Luis Henriques - March 20, 2013, 10:43 a.m.
This is a note to let you know that I have just added a patch titled

    l2tp: Restore socket refcount when sendmsg succeeds

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

From d04b290fe8bf798d709aab4ae9ddbd208edb2f43 Mon Sep 17 00:00:00 2001
From: Guillaume Nault <g.nault@alphalink.fr>
Date: Fri, 1 Mar 2013 05:02:02 +0000
Subject: [PATCH] l2tp: Restore socket refcount when sendmsg succeeds

commit 8b82547e33e85fc24d4d172a93c796de1fefa81a upstream.

The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
reference counter after successful transmissions. Any successful
sendmsg() call from userspace will then increase the reference counter
forever, thus preventing the kernel's session and tunnel data from
being freed later on.

The problem only happens when writing directly on L2TP sockets.
PPP sockets attached to L2TP are unaffected as the PPP subsystem
uses pppol2tp_xmit() which symmetrically increase/decrease reference
counters.

This patch adds the missing call to sock_put() before returning from
pppol2tp_sendmsg().

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/l2tp/l2tp_ppp.c | 1 +
 1 file changed, 1 insertion(+)

--
1.8.1.2

Patch

diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 8ef6b94..46c7cc7 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -355,6 +355,7 @@  static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
 	l2tp_xmit_skb(session, skb, session->hdr_len);

 	sock_put(ps->tunnel_sock);
+	sock_put(sk);

 	return error;