On Fri, Aug 03, 2018 at 12:42:22PM -0700, David Miller wrote:
> From: Guillaume Nault <[email protected]>
> Date: Fri, 3 Aug 2018 17:00:11 +0200
>
> > If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
> > drop the reference taken by l2tp_session_get().
> >
> > Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in
> > pppol2tp_tunnel_ioctl()")
> > Signed-off-by: Guillaume Nault <[email protected]>
> > ---
> > Sorry for the stupid mistake. I guess I got blinded by the apparent
> > simplicity of the bug when I wrote the original patch.
>
> Applied, thanks.
>
> I'm pretty sure I backported the commit this fixes, so I'm queueing
> this up for -stable as well.
>
Well, I think it wasn't. I didn't receive any notification from the
stable team about it and I don't see it in Greg's stable queue nor
in any -stable tree.
Also, we'd have to queue 90904ff5f958 ("l2tp: fix pseudo-wire type for
sessions created by pppol2tp_connect()") first, which is necessary for
properly identifying PPP sessions.
To recapitulate, three patches are needed to fix the original bug:
* 90904ff5f958 ("l2tp: fix pseudo-wire type for sessions created by
pppol2tp_connect()"): allows later patches to check if a session is
PPP.
* ecd012e45ab5 ("l2tp: filter out non-PPP sessions in
pppol2tp_tunnel_ioctl()"): refuses calling pppol2tp_session_ioctl()
on non-PPP sessions. This fixes an invalid pointer dereference when
the session is Ethernet. Unfortunately it fails to drop the
reference it takes on the session.
* f664e37dcc52 ("l2tp: fix missing refcount drop in
pppol2tp_tunnel_ioctl()"): fixes the memory leak introduced by the
previous patch.
