When l2tp_tunnel_register() fails, l2tp_nl_cmd_tunnel_create() directly frees the tunnel object with kfree(). This is incorrect because the tunnel's refcount was incremented to 2: once by l2tp_tunnel_create() (initial refcount=1) and again by the caller's refcount_inc() for a temporary reference. The successful path releases the temporary reference with l2tp_tunnel_put(), leaving the IDR to hold the remaining reference, but the error path bypasses reference counting entirely. As a result, the refcount stays at 2 while the memory is freed, which leaks references and violates the object's lifecycle that expects l2tp_tunnel_free() (via kfree_rcu()) when the refcount drops to zero. Fix this by replacing kfree() with two l2tp_tunnel_put() calls: the first releases the temporary reference, and the second releases the initial reference, triggering the proper RCU‑safe cleanup. Cc: stable@vger.kernel.org Fixes: 6b9f34239b00 ("l2tp: fix races in tunnel creation") Signed-off-by: WenTao Liang --- net/l2tp/l2tp_netlink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c index 59457c0c14aa..655bed496ffe 100644 --- a/net/l2tp/l2tp_netlink.c +++ b/net/l2tp/l2tp_netlink.c @@ -245,7 +245,8 @@ static int l2tp_nl_cmd_tunnel_create(struct sk_buff *skb, struct genl_info *info refcount_inc(&tunnel->ref_count); ret = l2tp_tunnel_register(tunnel, net, &cfg); if (ret < 0) { - kfree(tunnel); + l2tp_tunnel_put(tunnel); + l2tp_tunnel_put(tunnel); goto out; } ret = l2tp_tunnel_notify(&l2tp_nl_family, info, tunnel, -- 2.50.1 (Apple Git-155)