Re: [PATCH 1/1] l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()

Next message: Komal Bajaj: "[PATCH v3 3/5] arm64: dts: qcom: Add Shikra CQ2390M SoM platform"
Previous message: Andrii Nakryiko: "Re: [PATCH bpf-next v6 2/3] bpf: Avoid faultable build ID reads under mm locks"
In reply to: Lee Jones: "[PATCH 1/1] l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()"
Next in thread: Jakub Kicinski: "Re: [PATCH 1/1] l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Fri May 22 2026 - 14:21:47 EST

On Wed, 20 May 2026 14:48:36 +0100 Lee Jones wrote:
> pppol2tp_ioctl() read sock->sk->sk_user_data directly without any locks
> or reference counting. If a controllable sleep was induced during
> copy_from_user() (e.g. via a userfaultfd page fault sleep), a concurrent
> socket close could trigger pppol2tp_session_close() asynchronously. This
> frees the l2tp_session structure via the l2tp_session_del_work workqueue.
> Upon resuming, the ioctl thread dereferences the stale session pointer,
> resulting in a Use-After-Free (UAF).
>
> Fix this by securely fetching the session reference using the RCU-safe,
> refcounted helper pppol2tp_sock_to_session(sk) on entry. This locks the
> session's refcount across the sleep. We structured the function to exit
> via standard err breaks, guaranteeing that l2tp_session_put() is cleanly
> called on all return paths to drop the reference.

Since this is a fix we will need this reposted with a Fixes tag, please.
--
pw-bot: cr