From: Simon Horman <horms@kernel.org>
To: Yiqi Sun <sunyiqixm@gmail.com>
Cc: jchapman@katalix.com, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org
Subject: Re: [PATCH net] l2tp: take a session reference in pppol2tp_ioctl()
Date: Thu, 9 Apr 2026 15:46:03 +0100 [thread overview]
Message-ID: <20260409144603.GN469338@kernel.org> (raw)
In-Reply-To: <20260404133245.2391409-1-sunyiqixm@gmail.com>
On Sat, Apr 04, 2026 at 09:32:45PM +0800, Yiqi Sun wrote:
> pppol2tp_ioctl() reads sock->sk->sk_user_data and dereferences the
> returned l2tp_session without taking a reference on it.
>
> Since the ppp socket/session lifetime rework, session teardown runs
> asynchronously and can clear sk_user_data and drop the last session
> reference in parallel with ioctl(). This leaves ioctl() with a stale
> session pointer and can trigger a use-after-free.
>
> Fix this by using pppol2tp_sock_to_session() in pppol2tp_ioctl() and
> dropping the session reference before returning. This matches the
> existing getsockopt/setsockopt paths.
>
> Fixes: c5cbaef992d64 ("l2tp: refactor ppp socket/session relationship")
> Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
> ---
> net/l2tp/l2tp_ppp.c | 88 +++++++++++++++++++++++++++------------------
> 1 file changed, 54 insertions(+), 34 deletions(-)
>
> diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
> index ae4543d5597b..e6d7d3537180 100644
> --- a/net/l2tp/l2tp_ppp.c
> +++ b/net/l2tp/l2tp_ppp.c
> @@ -1042,66 +1042,79 @@ static int pppol2tp_tunnel_copy_stats(struct pppol2tp_ioc_stats *stats,
> static int pppol2tp_ioctl(struct socket *sock, unsigned int cmd,
> unsigned long arg)
> {
> + struct sock *sk = sock->sk;
> struct pppol2tp_ioc_stats stats;
> struct l2tp_session *session;
> + int err;
> +
> + err = -ENOTCONN;
> + if (!sk->sk_user_data)
> + goto end;
I think it would be cleaner to simply:
return -ENOTCONN;
> +
> + err = -EBADF;
> + session = pppol2tp_sock_to_session(sk);
> + if (!session)
> + goto end;
And, similarly here.
...
> @@ -1111,15 +1124,22 @@ static int pppol2tp_ioctl(struct socket *sock, unsigned int cmd,
> stats.tunnel_id = session->tunnel->tunnel_id;
> stats.using_ipsec = l2tp_tunnel_uses_xfrm(session->tunnel);
>
> - if (copy_to_user((void __user *)arg, &stats, sizeof(stats)))
> - return -EFAULT;
> + if (copy_to_user((void __user *)arg, &stats, sizeof(stats))) {
> + err = -EFAULT;
> + goto end_put_sess;
> + }
> + err = 0;
> break;
>
> default:
> - return -ENOIOCTLCMD;
> + err = -ENOIOCTLCMD;
I would suggest a goto here.
> + break;
> }
>
And setting err = 0 here, rather than in multiple places above.
> - return 0;
> +end_put_sess:
I think "out_put_session" would be a slightly better name for this label.
> + l2tp_session_put(session);
> +end:
> + return err;
> }
>
> /*****************************************************************************
> --
> 2.34.1
>
prev parent reply other threads:[~2026-04-09 14:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-04 13:32 [PATCH net] l2tp: take a session reference in pppol2tp_ioctl() Yiqi Sun
2026-04-09 11:41 ` Paolo Abeni
2026-04-09 14:46 ` Simon Horman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409144603.GN469338@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jchapman@katalix.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sunyiqixm@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.