From: Guillaume Nault <g.na...@alphalink.fr> Date: Fri, 31 Mar 2017 13:02:23 +0200
> l2tp_session_find() doesn't take a reference on the session returned to > its caller. Virtually all l2tp_session_find() users are racy, either > because the session can disappear from under them or because they take > a reference too late. This leads to bugs like 'use after free' or > failure to notice duplicate session creations. > > In some cases, taking a reference on the session is not enough. The > special callbacks .ref() and .deref() also have to be called in cases > where the PPP pseudo-wire uses the socket associated with the session. > Therefore, when looking up a session, we also have to pass a flag > indicating if the .ref() callback has to be called. > > In the future, we probably could drop the .ref() and .deref() callbacks > entirely by protecting the .sock field of struct pppol2tp_session with > RCU, thus allowing it to be freed and set to NULL even if the L2TP > session is still alive. Series applied with the Fixes: tag of patch #5 updated. Thanks.
