Hi Greg.
This is for 4.14.
We received a PoC (code to run as root with a KASAN kernel) demonstrating the existence of a use-after-free in pppol2tp_sendmsg. This was accompanied by a patch to resolve it, consisting mostly of parts of patch 3 plus a little of 4.
The following patches all apply cleanly and compile with allmodconfig. However, I lack the hardware to test them.
The changes are already in 4.19. I'll post the changes for 4.9 next.
Regards, Giuliano.
Guillaume Nault (4): l2tp: don't register sessions in l2tp_session_create() l2tp: initialise l2tp_eth sessions before registering them l2tp: protect sock pointer of struct pppol2tp_session with RCU l2tp: initialise PPP sessions before registering them
net/l2tp/l2tp_core.c | 21 ++-- net/l2tp/l2tp_core.h | 3 + net/l2tp/l2tp_eth.c | 99 +++++++++++++----- net/l2tp/l2tp_ppp.c | 238 +++++++++++++++++++++++++++---------------- 4 files changed, 238 insertions(+), 123 deletions(-)