Re: [PATCH v2 1/1] l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()

Next message: Jakub Kicinski: "Re: [PATCH net v4] net: tg3: guard napi_disable and pci_disable_device calls"
Previous message: Waiman Long: "[PATCH] cgroup/cpuset: Remove Chen Ridong as a cpust reviewer for now"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Mon Jun 01 2026 - 22:50:23 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Wed, 27 May 2026 13:36:29 +0000 you wrote:
> pppol2tp_ioctl() read sock->sk->sk_user_data directly without any
> locks or reference counting. If a controllable sleep was induced during
> copy_from_user() (e.g. via a userfaultfd page fault sleep), a concurrent
> socket close could trigger pppol2tp_session_close() asynchronously. This
> frees the l2tp_session structure via the l2tp_session_del_work workqueue.
> Upon resuming, the ioctl thread dereferences the stale session pointer,
> resulting in a Use-After-Free (UAF).
>
> [...]

Here is the summary with links:
- [v2,1/1] l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()
https://git.kernel.org/netdev/net/c/a213a8950414

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html