Re: [PATCH net] l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname

From: Sebastian Andrzej Siewior

Date: Wed May 27 2026 - 03:17:17 EST


sorry for being late…

On 2026-05-22 22:34:23 [-0400], Michael Bommarito wrote:

> a slab-use-after-free. On PREEMPT_RT local_bh_disable() is a per-CPU
> sleeping lock and the preemption window is real;
No, it is not but there is a preemption window, yes.

> on stock PREEMPT
> kernels local_bh_disable() is a preempt_count increment that closes
> the cross-CPU race in practice (see below).

It might be that the window is not wide open. I don't see why it should
not trigger on SMP.

> Use refcount_inc_not_zero() and continue the list walk on failure,
> matching the other session getters in the file. The ifname getter
> is the only session getter in net/l2tp/ that still uses the bare
> refcount_inc() pattern; this change restores file-internal
> consistency. The success path is unchanged.

This is the right change.

> Fixes: abe7a1a7d0b6 ("l2tp: improve tunnel/session refcount helpers")

This simply removes the wrapper but the logic is the same. Wouldn't
commit 2777e2ab5a9cf ("l2tp: take a reference on sessions used in
genetlink handlers") be where it was introduced?

> Cc: stable@xxxxxxxxxxxxxxx
> Assisted-by: Claude:claude-opus-4-7
> Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>


Sebastian