Patch "net/l2tp: Fix reference count leak in l2tp_udp_recv_core" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 19 Sep 2021 18:58:30 -0400

This is a note to let you know that I've just added the patch titled

    net/l2tp: Fix reference count leak in l2tp_udp_recv_core

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_c.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 7853a220fd037a5d0160ecf2b5d97d801a44c3a6
Author: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
Date:   Thu Sep 9 12:32:00 2021 +0800

    net/l2tp: Fix reference count leak in l2tp_udp_recv_core
    
    [ Upstream commit 9b6ff7eb666415e1558f1ba8a742f5db6a9954de ]
    
    The reference count leak issue may take place in an error handling
    path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the
    return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function
    would directly jump to label invalid, without decrementing the reference
    count of the l2tp_session object session increased earlier by
    l2tp_tunnel_get_session(). This may result in refcount leaks.
    
    Fix this issue by decrease the reference count before jumping to the
    label invalid.
    
    Fixes: 4522a70db7aa ("l2tp: fix reading optional fields of L2TPv3")
    Signed-off-by: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
    Signed-off-by: Xin Xiong <xiongx18@xxxxxxxxxxxx>
    Signed-off-by: Xin Tan <tanxin.ctf@xxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 203890e378cb..561b6d67ab8b 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -869,8 +869,10 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb)
 	}
 
 	if (tunnel->version == L2TP_HDR_VER_3 &&
-	    l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
+	    l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
+		l2tp_session_dec_refcount(session);
 		goto invalid;
+	}
 
 	l2tp_recv_common(session, skb, ptr, optr, hdrflags, length);
 	l2tp_session_dec_refcount(session);






