* [PATCH net] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()
@ 2018-08-03 15:00 Guillaume Nault
2018-08-03 19:42 ` David Miller
0 siblings, 1 reply; 5+ messages in thread
From: Guillaume Nault @ 2018-08-03 15:00 UTC (permalink / raw
To: netdev; +Cc: James Chapman
If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
drop the reference taken by l2tp_session_get().
Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
---
Sorry for the stupid mistake. I guess I got blinded by the apparent
simplicity of the bug when I wrote the original patch.
net/l2tp/l2tp_ppp.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index e398797878a9..cf6cca260e7b 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1201,13 +1201,18 @@ static int pppol2tp_tunnel_ioctl(struct l2tp_tunnel *tunnel,
l2tp_session_get(sock_net(sk), tunnel,
stats.session_id);
- if (session && session->pwtype == L2TP_PWTYPE_PPP) {
- err = pppol2tp_session_ioctl(session, cmd,
- arg);
+ if (!session) {
+ err = -EBADR;
+ break;
+ }
+ if (session->pwtype != L2TP_PWTYPE_PPP) {
l2tp_session_dec_refcount(session);
- } else {
err = -EBADR;
+ break;
}
+
+ err = pppol2tp_session_ioctl(session, cmd, arg);
+ l2tp_session_dec_refcount(session);
break;
}
#ifdef CONFIG_XFRM
--
2.18.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()
2018-08-03 15:00 [PATCH net] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() Guillaume Nault
@ 2018-08-03 19:42 ` David Miller
2018-08-05 11:24 ` Guillaume Nault
0 siblings, 1 reply; 5+ messages in thread
From: David Miller @ 2018-08-03 19:42 UTC (permalink / raw
To: g.nault; +Cc: netdev, jchapman
From: Guillaume Nault <g.nault@alphalink.fr>
Date: Fri, 3 Aug 2018 17:00:11 +0200
> If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
> drop the reference taken by l2tp_session_get().
>
> Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
> Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
> ---
> Sorry for the stupid mistake. I guess I got blinded by the apparent
> simplicity of the bug when I wrote the original patch.
Applied, thanks.
I'm pretty sure I backported the commit this fixes, so I'm queueing
this up for -stable as well.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()
2018-08-03 19:42 ` David Miller
@ 2018-08-05 11:24 ` Guillaume Nault
2018-08-10 17:58 ` Guillaume Nault
0 siblings, 1 reply; 5+ messages in thread
From: Guillaume Nault @ 2018-08-05 11:24 UTC (permalink / raw
To: David Miller; +Cc: netdev, jchapman
On Fri, Aug 03, 2018 at 12:42:22PM -0700, David Miller wrote:
> From: Guillaume Nault <g.nault@alphalink.fr>
> Date: Fri, 3 Aug 2018 17:00:11 +0200
>
> > If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
> > drop the reference taken by l2tp_session_get().
> >
> > Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
> > Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
> > ---
> > Sorry for the stupid mistake. I guess I got blinded by the apparent
> > simplicity of the bug when I wrote the original patch.
>
> Applied, thanks.
>
> I'm pretty sure I backported the commit this fixes, so I'm queueing
> this up for -stable as well.
>
Well, I think it wasn't. I didn't receive any notification from the
stable team about it and I don't see it in Greg's stable queue nor
in any -stable tree.
Also, we'd have to queue 90904ff5f958 ("l2tp: fix pseudo-wire type for
sessions created by pppol2tp_connect()") first, which is necessary for
properly identifying PPP sessions.
To recapitulate, three patches are needed to fix the original bug:
* 90904ff5f958 ("l2tp: fix pseudo-wire type for sessions created by
pppol2tp_connect()"): allows later patches to check if a session is
PPP.
* ecd012e45ab5 ("l2tp: filter out non-PPP sessions in
pppol2tp_tunnel_ioctl()"): refuses calling pppol2tp_session_ioctl()
on non-PPP sessions. This fixes an invalid pointer dereference when
the session is Ethernet. Unfortunately it fails to drop the
reference it takes on the session.
* f664e37dcc52 ("l2tp: fix missing refcount drop in
pppol2tp_tunnel_ioctl()"): fixes the memory leak introduced by the
previous patch.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()
2018-08-05 11:24 ` Guillaume Nault
@ 2018-08-10 17:58 ` Guillaume Nault
2018-08-10 18:04 ` David Miller
0 siblings, 1 reply; 5+ messages in thread
From: Guillaume Nault @ 2018-08-10 17:58 UTC (permalink / raw
To: David Miller; +Cc: netdev, jchapman
On Sun, Aug 05, 2018 at 01:24:13PM +0200, Guillaume Nault wrote:
> On Fri, Aug 03, 2018 at 12:42:22PM -0700, David Miller wrote:
> > From: Guillaume Nault <g.nault@alphalink.fr>
> > Date: Fri, 3 Aug 2018 17:00:11 +0200
> >
> > > If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
> > > drop the reference taken by l2tp_session_get().
> > >
> > > Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
> > > Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
> > > ---
> > > Sorry for the stupid mistake. I guess I got blinded by the apparent
> > > simplicity of the bug when I wrote the original patch.
> >
> > Applied, thanks.
> >
> > I'm pretty sure I backported the commit this fixes, so I'm queueing
> > this up for -stable as well.
> >
> Well, I think it wasn't. I didn't receive any notification from the
> stable team about it and I don't see it in Greg's stable queue nor
> in any -stable tree.
>
> Also, we'd have to queue 90904ff5f958 ("l2tp: fix pseudo-wire type for
> sessions created by pppol2tp_connect()") first, which is necessary for
> properly identifying PPP sessions.
>
> To recapitulate, three patches are needed to fix the original bug:
>
> * 90904ff5f958 ("l2tp: fix pseudo-wire type for sessions created by
> pppol2tp_connect()"): allows later patches to check if a session is
> PPP.
>
> * ecd012e45ab5 ("l2tp: filter out non-PPP sessions in
> pppol2tp_tunnel_ioctl()"): refuses calling pppol2tp_session_ioctl()
> on non-PPP sessions. This fixes an invalid pointer dereference when
> the session is Ethernet. Unfortunately it fails to drop the
> reference it takes on the session.
>
> * f664e37dcc52 ("l2tp: fix missing refcount drop in
> pppol2tp_tunnel_ioctl()"): fixes the memory leak introduced by the
> previous patch.
>
Hi Dave,
As far as I can see, f664e37dcc52 ("l2tp: fix missing refcount drop in
pppol2tp_tunnel_ioctl()") is still in your -stable queue, but the two
patches it depends on haven't made their way to -stable. I'd suggest to
either drop this patch from your -stable queue, or to also queue up
ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
and
f664e37dcc52 ("l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()").
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()
2018-08-10 17:58 ` Guillaume Nault
@ 2018-08-10 18:04 ` David Miller
0 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2018-08-10 18:04 UTC (permalink / raw
To: g.nault; +Cc: netdev, jchapman
From: Guillaume Nault <g.nault@alphalink.fr>
Date: Fri, 10 Aug 2018 19:58:38 +0200
> As far as I can see, f664e37dcc52 ("l2tp: fix missing refcount drop in
> pppol2tp_tunnel_ioctl()") is still in your -stable queue, but the two
> patches it depends on haven't made their way to -stable. I'd suggest to
> either drop this patch from your -stable queue, or to also queue up
> ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
> and
> f664e37dcc52 ("l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()").
Thanks Guillaume, I'll sort this out the next time I work on stable
submissions.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-08-10 20:35 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-08-03 15:00 [PATCH net] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() Guillaume Nault
2018-08-03 19:42 ` David Miller
2018-08-05 11:24 ` Guillaume Nault
2018-08-10 17:58 ` Guillaume Nault
2018-08-10 18:04 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.