From mboxrd@z Thu Jan 1 00:00:00 1970 From: Guillaume Nault Subject: Re: [PATCH net] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() Date: Sun, 5 Aug 2018 13:24:13 +0200 Message-ID: <20180805112157.64rx4btyuwvxlzwb@kdev> References: <20180803.124222.615955511660952852.davem@davemloft.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: netdev@vger.kernel.org, jchapman@katalix.com To: David Miller Return-path: Received: from zimbra.alphalink.fr ([217.15.80.77]:55930 "EHLO zimbra.alphalink.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726091AbeHENXR (ORCPT ); Sun, 5 Aug 2018 09:23:17 -0400 Content-Disposition: inline In-Reply-To: <20180803.124222.615955511660952852.davem@davemloft.net> Sender: netdev-owner@vger.kernel.org List-ID: On Fri, Aug 03, 2018 at 12:42:22PM -0700, David Miller wrote: > From: Guillaume Nault > Date: Fri, 3 Aug 2018 17:00:11 +0200 > > > If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to > > drop the reference taken by l2tp_session_get(). > > > > Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()") > > Signed-off-by: Guillaume Nault > > --- > > Sorry for the stupid mistake. I guess I got blinded by the apparent > > simplicity of the bug when I wrote the original patch. > > Applied, thanks. > > I'm pretty sure I backported the commit this fixes, so I'm queueing > this up for -stable as well. > Well, I think it wasn't. I didn't receive any notification from the stable team about it and I don't see it in Greg's stable queue nor in any -stable tree. Also, we'd have to queue 90904ff5f958 ("l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect()") first, which is necessary for properly identifying PPP sessions. To recapitulate, three patches are needed to fix the original bug: * 90904ff5f958 ("l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect()"): allows later patches to check if a session is PPP. * ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()"): refuses calling pppol2tp_session_ioctl() on non-PPP sessions. This fixes an invalid pointer dereference when the session is Ethernet. Unfortunately it fails to drop the reference it takes on the session. * f664e37dcc52 ("l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()"): fixes the memory leak introduced by the previous patch.