[PATCH] l2tp: fix refcount leak in l2tp_nl_cmd_tunnel_create()

[WenTao Liang]

When l2tp_tunnel_register() fails, l2tp_nl_cmd_tunnel_create()
directly frees the tunnel object with kfree(). This is incorrect
because the tunnel's refcount was incremented to 2: once by
l2tp_tunnel_create() (initial refcount=1) and again by the
caller's refcount_inc() for a temporary reference. The successful
path releases the temporary reference with l2tp_tunnel_put(),
leaving the IDR to hold the remaining reference, but the error
path bypasses reference counting entirely. As a result, the
refcount stays at 2 while the memory is freed, which leaks
references and violates the object's lifecycle that expects
l2tp_tunnel_free() (via kfree_rcu()) when the refcount drops
to zero.

Fix this by replacing kfree() with two l2tp_tunnel_put() calls:
the first releases the temporary reference, and the second
releases the initial reference, triggering the proper RCU‑safe
cleanup.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 6b9f34239b00 ("l2tp: fix races in tunnel creation")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
 net/l2tp/l2tp_netlink.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index 59457c0c14aa..655bed496ffe 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -245,7 +245,8 @@ static int l2tp_nl_cmd_tunnel_create(struct sk_buff *skb, struct genl_info *info
 	refcount_inc(&tunnel->ref_count);
 	ret = l2tp_tunnel_register(tunnel, net, &cfg);
 	if (ret < 0) {
-		kfree(tunnel);
+		l2tp_tunnel_put(tunnel);
+		l2tp_tunnel_put(tunnel);
 		goto out;
 	}
 	ret = l2tp_tunnel_notify(&l2tp_nl_family, info, tunnel,
-- 
2.50.1 (Apple Git-155)