From ab6934e084e5eee665adf6e834e5096ebae4a95f Mon Sep 17 00:00:00 2001 From: Tom Parkin Date: Fri, 24 Jul 2020 16:31:57 +0100 Subject: [PATCH] l2tp: WARN_ON rather than BUG_ON in l2tp_session_free l2tp_session_free called BUG_ON if the tunnel magic feather value wasn't correct. The intent of this was to catch lifetime bugs; for example early tunnel free due to incorrect use of reference counts. Since the tunnel magic feather being wrong indicates either early free or structure corruption, we can avoid doing more damage by simply leaving the tunnel structure alone. If the tunnel refcount isn't dropped when it should be, the tunnel instance will remain in the kernel, resulting in the tunnel structure and socket leaking. Signed-off-by: Tom Parkin Signed-off-by: David S. Miller --- net/l2tp/l2tp_core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index 50548c6..e723828 100644 --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -1564,10 +1564,12 @@ void l2tp_session_free(struct l2tp_session *session) struct l2tp_tunnel *tunnel = session->tunnel; if (tunnel) { - BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC); + if (WARN_ON(tunnel->magic != L2TP_TUNNEL_MAGIC)) + goto out; l2tp_tunnel_dec_refcount(tunnel); } +out: kfree(session); } EXPORT_SYMBOL_GPL(l2tp_session_free); -- 2.7.4