CVE-2024-49940

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> l2tp: prevent possible tunnel refcount underflow<br /> <br /> When a session is created, it sets a backpointer to its tunnel. When<br /> the session refcount drops to 0, l2tp_session_free drops the tunnel<br /> refcount if session-&gt;tunnel is non-NULL. However, session-&gt;tunnel is<br /> set in l2tp_session_create, before the tunnel refcount is incremented<br /> by l2tp_session_register, which leaves a small window where<br /> session-&gt;tunnel is non-NULL when the tunnel refcount hasn&amp;#39;t been<br /> bumped.<br /> <br /> Moving the assignment to l2tp_session_register is trivial but<br /> l2tp_session_create calls l2tp_session_set_header_len which uses<br /> session-&gt;tunnel to get the tunnel&amp;#39;s encap. Add an encap arg to<br /> l2tp_session_set_header_len to avoid using session-&gt;tunnel.<br /> <br /> If l2tpv3 sessions have colliding IDs, it is possible for<br /> l2tp_v3_session_get to race with l2tp_session_register and fetch a<br /> session which doesn&amp;#39;t yet have session-&gt;tunnel set. Add a check for<br /> this case.