Patch "l2tp: ensure session can't get removed during pppol2tp_session_ioctl()" has been added to the 4.9-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    l2tp: ensure session can't get removed during pppol2tp_session_ioctl()

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     l2tp-ensure-session-can-t-get-removed-during-pppol2tp_session_ioctl.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 57377d63547861919ee634b845c7caa38de4a452 Mon Sep 17 00:00:00 2001
From: Guillaume Nault <g.nault@xxxxxxxxxxxx>
Date: Fri, 31 Mar 2017 13:02:26 +0200
Subject: l2tp: ensure session can't get removed during pppol2tp_session_ioctl()

From: Guillaume Nault <g.nault@xxxxxxxxxxxx>

commit 57377d63547861919ee634b845c7caa38de4a452 upstream.

Holding a reference on session is required before calling
pppol2tp_session_ioctl(). The session could get freed while processing the
ioctl otherwise. Since pppol2tp_session_ioctl() uses the session's socket,
we also need to take a reference on it in l2tp_session_get().

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@xxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Amit Pundir <amit.pundir@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 net/l2tp/l2tp_ppp.c |   15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1141,11 +1141,18 @@ static int pppol2tp_tunnel_ioctl(struct
 		if (stats.session_id != 0) {
 			/* resend to session ioctl handler */
 			struct l2tp_session *session =
-				l2tp_session_find(sock_net(sk), tunnel, stats.session_id);
-			if (session != NULL)
-				err = pppol2tp_session_ioctl(session, cmd, arg);
-			else
+				l2tp_session_get(sock_net(sk), tunnel,
+						 stats.session_id, true);
+
+			if (session) {
+				err = pppol2tp_session_ioctl(session, cmd,
+							     arg);
+				if (session->deref)
+					session->deref(session);
+				l2tp_session_dec_refcount(session);
+			} else {
 				err = -EBADR;
+			}
 			break;
 		}
 #ifdef CONFIG_XFRM


Patches currently in stable-queue which might be from g.nault@xxxxxxxxxxxx are

queue-4.9/l2tp-take-a-reference-on-sessions-used-in-genetlink-handlers.patch
queue-4.9/l2tp-ensure-session-can-t-get-removed-during-pppol2tp_session_ioctl.patch
queue-4.9/l2tp-fix-race-in-l2tp_recv_common.patch
queue-4.9/l2tp-hold-session-while-sending-creation-notifications.patch
queue-4.9/l2tp-fix-duplicate-session-creation.patch
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]