From nobody Mon Apr 6 20:27:57 2026 Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com [209.85.218.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6738A22D7B5 for ; Wed, 18 Mar 2026 01:27:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773797224; cv=none; b=SX0gkSUxDn8eIorEYhFa0BRKnygtW08IdUK/wy7YEmy79Z6QcEZ3NlpmVVrECvxXCjWegRmus/YeJU21nzXXbiCsVah6QIMglEzMwH2iaxHIHSOq3H+N5XuXOU71j44zDGbRhcuwnhXTkNmD6q0ulljpzepCZORAZqMefPBGpxQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773797224; c=relaxed/simple; bh=ixYXi+/k0hGdcXem8PCM6XaaEWN9flbdQPgnzunHPV0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=S8513FLMw/5DeP4fz2p650a7m6hHAcE7ffyQFSIwSeTH8gDq7IXqUW5Ofc1M1GCaoHtjautvHqTRxA0Qruesj35K5lhB5mxQHYcAXo+RxXFg4BbCk3bGt9m5mQJk5tYqZbgSdBpO9B4Fee4/dohkwNnQJauRZ/p0fJEhH/acCWk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SkLfNeTB; arc=none smtp.client-ip=209.85.218.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SkLfNeTB" Received: by mail-ej1-f49.google.com with SMTP id a640c23a62f3a-b976e181895so752033066b.1 for ; Tue, 17 Mar 2026 18:27:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773797222; x=1774402022; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=WNXLkEoBDNGwPbjZ/vooPOcdheELOMB3ucg5AbTB558=; b=SkLfNeTB/iEONLq+RVNYOrVMLfy1DJ4eX2cbMt/kMzmwn5B3ZcnAOiRZug0oiJNyDz 83lFcgCILXjtN1+iQt2gWBvSiT7Zt7Ft8MpspummkBE+j4C+vqUx/P9eetn+aJII5lsK Y8aABM+mWc3gQuo/0qQBuwKXfkE56o3CMWW5WjYcxCIlW5gwPo9lrKdKz/vJTpY/GVWU 8H2RvMENNN0yXYd80qdUMvdSr6joiIX6Zy3FAClJr7YvRrFKibtGe2TdABpOKWTp8jES KcCW7vnCk/YQCT9ECxjZftFqswHYXQM7j460mnjjQA9IwyOO/SlW2KVeflDkXOEGbHtV veeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773797222; x=1774402022; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=WNXLkEoBDNGwPbjZ/vooPOcdheELOMB3ucg5AbTB558=; b=BcDatYpGhlXWskFfdOBit/5uJNXnyfbCUIuhgFMRpKN8RMajAwidq735jDlQNYycrg +y5BR3hfElWyS92Zk09YPTYVs5Cx2xehDVohhw8Yr/j0YDPMHjqDSXj3R+UOVoJhAbk5 Ea/LmKAk0At8ItcKlDcFbzaONiXBadxY0RlJ4GHTwng1XxK9to/6PLAAJ2vsbr4uxvtZ 5wu2wvanFLhAy02x//xeSbs5VxjvFb3N5z7c6jqYPXYVZutxHet3HK9UpZ+7FnbKHlPh HJyJJusAySC8J8lACXVDW7t+HS562d9yvQ5tnLCl4WQD1H48aGh0kzHgo7pTtppKdBSO RwBA== X-Forwarded-Encrypted: i=1; AJvYcCWtsJ9QSKNFGWktJZseLMroXPUDNxN9i99hzajvmR1IyZ0DVHn0PmpA+d5nrZ+F4Wg8dyYXQ+oKyKmbdgM=@vger.kernel.org X-Gm-Message-State: AOJu0YxmZbUI3UlQs0Aj5xYEafThtNEw396fBOI25cj1eQMkJnUrUmxp YkjvdyKX6oVTkLsuf0HRd3DwU1kAe83JBVJ6Xv2xwHUXVTj8z/eZGv6d X-Gm-Gg: ATEYQzy0sCtrRnIyLfRKeJD81NEBMBoTLmNXeG3/e/ruo6YSppxRpqPmPButRZLpLmv Pl387bkeC4Idc0XzcQVIGliZ6NEiBpXmMWTBblOTwfnEFRDyOXMkruEuAxdiunvh52TnfLgQWZ0 NdO8gWU2sMdbOoQY5lY9XdClm+4TuvVL7+2JlGwACi8X1Ou+p1qBZeCEskX+YCi0KUw/GRZgYSu ENSIeUt8VgSZIpjT+aBv/U+Y0HswRtbOTQl7azke0F1i1a5ZCPcWFlrrkpA35dWcWv3HtCEBBxM eLgqLQ5UgmAfbqcBin/JEBUZjxIctVDZVAHC5WM1gjRoTgnExhixQOKoEtcvhLwbNKbktisLbop j5pUnMXshcsEu8ZQNZQDItdcjaqatjaUiIBoJYtInMJQiGR9ioX8Jdz+IxklbQRqEb3b20mbq X-Received: by 2002:a17:907:2da7:b0:b97:4e42:23e7 with SMTP id a640c23a62f3a-b97f484fb15mr100629266b.24.1773797221520; Tue, 17 Mar 2026 18:27:01 -0700 (PDT) Received: from gmail.com ([2a09:bac1:5520::49b:45]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b97f168c141sm91922766b.40.2026.03.17.18.26.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Mar 2026 18:27:00 -0700 (PDT) From: Qingfang Deng To: stable@vger.kernel.org Cc: linux-ppp@vger.kernel.org, James Chapman , Guillaume Nault , netdev@vger.kernel.org, Simon Horman , Jakub Kicinski , Paolo Abeni , "David S. Miller" , linux-kernel@vger.kernel.org, Eric Dumazet Subject: [PATCH 6.6.y 6.1.y 5.15.y 5.10.y] l2tp: fix ppp_dev_name() use-after-free Date: Wed, 18 Mar 2026 09:26:53 +0800 Message-ID: <20260318012653.232518-1-dqfext@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" [ Upstream commit 9b8c88f875c04d4cb9111bd5dd9291c7e9691bf5 ] ppp_dev_name() directly returns netdev->name to the caller. The caller must hold either RCU or RTNL lock, in order to prevent the netdev from being freed while still being used. The upstream commit expanded the RCU critical section to include ppp_dev_name(), which inadvertently fixed the problem. So backport the commit to fix the UAF in older stable versions. Fixes: ee40fb2e1eb5 ("l2tp: protect sock pointer of struct pppol2tp_session= with RCU") Cc: Eric Dumazet Signed-off-by: Qingfang Deng --- net/l2tp/l2tp_ppp.c | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index 6146e4e67bbb..34d8582c0c07 100644 --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -130,22 +130,12 @@ static const struct ppp_channel_ops pppol2tp_chan_ops= =3D { =20 static const struct proto_ops pppol2tp_ops; =20 -/* Retrieves the pppol2tp socket associated to a session. - * A reference is held on the returned socket, so this function must be pa= ired - * with sock_put(). - */ +/* Retrieves the pppol2tp socket associated to a session. */ static struct sock *pppol2tp_session_get_sock(struct l2tp_session *session) { struct pppol2tp_session *ps =3D l2tp_session_priv(session); - struct sock *sk; =20 - rcu_read_lock(); - sk =3D rcu_dereference(ps->sk); - if (sk) - sock_hold(sk); - rcu_read_unlock(); - - return sk; + return rcu_dereference(ps->sk); } =20 /* Helpers to obtain tunnel/session contexts from sockets. @@ -211,14 +201,13 @@ static int pppol2tp_recvmsg(struct socket *sock, stru= ct msghdr *msg, =20 static void pppol2tp_recv(struct l2tp_session *session, struct sk_buff *sk= b, int data_len) { - struct pppol2tp_session *ps =3D l2tp_session_priv(session); - struct sock *sk =3D NULL; + struct sock *sk; =20 /* If the socket is bound, send it in to PPP's input queue. Otherwise * queue it on the session socket. */ rcu_read_lock(); - sk =3D rcu_dereference(ps->sk); + sk =3D pppol2tp_session_get_sock(session); if (!sk) goto no_sock; =20 @@ -528,13 +517,14 @@ static void pppol2tp_show(struct seq_file *m, void *a= rg) struct l2tp_session *session =3D arg; struct sock *sk; =20 + rcu_read_lock(); sk =3D pppol2tp_session_get_sock(session); if (sk) { struct pppox_sock *po =3D pppox_sk(sk); =20 seq_printf(m, " interface %s\n", ppp_dev_name(&po->chan)); - sock_put(sk); } + rcu_read_unlock(); } =20 static void pppol2tp_session_init(struct l2tp_session *session) @@ -1540,6 +1530,7 @@ static void pppol2tp_seq_session_show(struct seq_file= *m, void *v) port =3D ntohs(inet->inet_sport); } =20 + rcu_read_lock(); sk =3D pppol2tp_session_get_sock(session); if (sk) { state =3D sk->sk_state; @@ -1575,8 +1566,8 @@ static void pppol2tp_seq_session_show(struct seq_file= *m, void *v) struct pppox_sock *po =3D pppox_sk(sk); =20 seq_printf(m, " interface %s\n", ppp_dev_name(&po->chan)); - sock_put(sk); } + rcu_read_unlock(); } =20 static int pppol2tp_seq_show(struct seq_file *m, void *v) --=20 2.43.0