From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 9 Nov 2018 16:29:18 +0000 (-0800)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.125~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f51519be8fda5e38df71da4520a05636f00d2bab;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	l2tp-hold-tunnel-socket-when-handling-control-frames-in-l2tp_ip-and-l2tp_ip6.patch
---

diff --git a/queue-4.4/l2tp-hold-tunnel-socket-when-handling-control-frames-in-l2tp_ip-and-l2tp_ip6.patch b/queue-4.4/l2tp-hold-tunnel-socket-when-handling-control-frames-in-l2tp_ip-and-l2tp_ip6.patch
new file mode 100644
index 00000000000..40162ad860f
--- /dev/null
+++ b/queue-4.4/l2tp-hold-tunnel-socket-when-handling-control-frames-in-l2tp_ip-and-l2tp_ip6.patch
@@ -0,0 +1,55 @@
+From 94d7ee0baa8b764cf64ad91ed69464c1a6a0066b Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Wed, 29 Mar 2017 08:44:59 +0200
+Subject: l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+commit 94d7ee0baa8b764cf64ad91ed69464c1a6a0066b upstream.
+
+The code following l2tp_tunnel_find() expects that a new reference is
+held on sk. Either sk_receive_skb() or the discard_put error path will
+drop a reference from the tunnel's socket.
+
+This issue exists in both l2tp_ip and l2tp_ip6.
+
+Fixes: a3c18422a4b4 ("l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/l2tp/l2tp_ip.c  |    5 +++--
+ net/l2tp/l2tp_ip6.c |    5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -177,9 +177,10 @@ pass_up:
+ 
+ 	tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
+ 	tunnel = l2tp_tunnel_find(net, tunnel_id);
+-	if (tunnel != NULL)
++	if (tunnel) {
+ 		sk = tunnel->sock;
+-	else {
++		sock_hold(sk);
++	} else {
+ 		struct iphdr *iph = (struct iphdr *) skb_network_header(skb);
+ 
+ 		read_lock_bh(&l2tp_ip_lock);
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -188,9 +188,10 @@ pass_up:
+ 
+ 	tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
+ 	tunnel = l2tp_tunnel_find(&init_net, tunnel_id);
+-	if (tunnel != NULL)
++	if (tunnel) {
+ 		sk = tunnel->sock;
+-	else {
++		sock_hold(sk);
++	} else {
+ 		struct ipv6hdr *iph = ipv6_hdr(skb);
+ 
+ 		read_lock_bh(&l2tp_ip6_lock);
diff --git a/queue-4.4/series b/queue-4.4/series
index fd80bcc21ef..ac636e02b8b 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -111,4 +111,5 @@ input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330-15igm.patch
 sched-fair-fix-throttle_list-starvation-with-low-cfs-quota.patch
 x86-percpu-fix-this_cpu_read.patch
 cpuidle-do-not-access-cpuidle_devices-when-config_cpu_idle.patch
+l2tp-hold-tunnel-socket-when-handling-control-frames-in-l2tp_ip-and-l2tp_ip6.patch
 x86-time-correct-the-attribute-on-jiffies-definition.patch