From: Guillaume Nault <g.nault@alphalink.fr>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, jchapman@katalix.com
Subject: Re: [PATCH net] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()
Date: Fri, 10 Aug 2018 19:58:38 +0200 [thread overview]
Message-ID: <20180810175837.GB1430@alphalink.fr> (raw)
In-Reply-To: <20180805112157.64rx4btyuwvxlzwb@kdev>
On Sun, Aug 05, 2018 at 01:24:13PM +0200, Guillaume Nault wrote:
> On Fri, Aug 03, 2018 at 12:42:22PM -0700, David Miller wrote:
> > From: Guillaume Nault <g.nault@alphalink.fr>
> > Date: Fri, 3 Aug 2018 17:00:11 +0200
> >
> > > If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
> > > drop the reference taken by l2tp_session_get().
> > >
> > > Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
> > > Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
> > > ---
> > > Sorry for the stupid mistake. I guess I got blinded by the apparent
> > > simplicity of the bug when I wrote the original patch.
> >
> > Applied, thanks.
> >
> > I'm pretty sure I backported the commit this fixes, so I'm queueing
> > this up for -stable as well.
> >
> Well, I think it wasn't. I didn't receive any notification from the
> stable team about it and I don't see it in Greg's stable queue nor
> in any -stable tree.
>
> Also, we'd have to queue 90904ff5f958 ("l2tp: fix pseudo-wire type for
> sessions created by pppol2tp_connect()") first, which is necessary for
> properly identifying PPP sessions.
>
> To recapitulate, three patches are needed to fix the original bug:
>
> * 90904ff5f958 ("l2tp: fix pseudo-wire type for sessions created by
> pppol2tp_connect()"): allows later patches to check if a session is
> PPP.
>
> * ecd012e45ab5 ("l2tp: filter out non-PPP sessions in
> pppol2tp_tunnel_ioctl()"): refuses calling pppol2tp_session_ioctl()
> on non-PPP sessions. This fixes an invalid pointer dereference when
> the session is Ethernet. Unfortunately it fails to drop the
> reference it takes on the session.
>
> * f664e37dcc52 ("l2tp: fix missing refcount drop in
> pppol2tp_tunnel_ioctl()"): fixes the memory leak introduced by the
> previous patch.
>
Hi Dave,
As far as I can see, f664e37dcc52 ("l2tp: fix missing refcount drop in
pppol2tp_tunnel_ioctl()") is still in your -stable queue, but the two
patches it depends on haven't made their way to -stable. I'd suggest to
either drop this patch from your -stable queue, or to also queue up
ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
and
f664e37dcc52 ("l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()").
next prev parent reply other threads:[~2018-08-10 20:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-03 15:00 [PATCH net] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() Guillaume Nault
2018-08-03 19:42 ` David Miller
2018-08-05 11:24 ` Guillaume Nault
2018-08-10 17:58 ` Guillaume Nault [this message]
2018-08-10 18:04 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180810175837.GB1430@alphalink.fr \
--to=g.nault@alphalink.fr \
--cc=davem@davemloft.net \
--cc=jchapman@katalix.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox