Commit 979c017803c4 for kernel

commit 979c017803c40829b03acd9e5236e354b7622360
Author: Michael Bommarito <michael.bommarito@gmail.com>
Date:   Mon May 18 14:34:47 2026 -0400

    l2tp: use list_del_rcu in l2tp_session_unhash

    An unprivileged local user can pin a host CPU indefinitely in
    l2tp_session_get_by_ifname() by issuing L2TP_CMD_SESSION_GET on
    L2TP_ATTR_IFNAME concurrently with L2TP_CMD_SESSION_CREATE and
    L2TP_CMD_SESSION_DELETE on the same tunnel. All three commands take
    GENL_UNS_ADMIN_PERM, so CAP_NET_ADMIN in the netns user namespace
    suffices; on any host that has l2tp_core loaded the trigger is
    reachable from a standard `unshare -Urn` sandbox.

    l2tp_session_unhash() removes a session from tunnel->session_list
    with list_del_init(), but that list is walked by
    l2tp_session_get_by_ifname() with list_for_each_entry_rcu() under
    rcu_read_lock_bh(). list_del_init() leaves the deleted entry's
    next/prev self-pointing; a reader that has loaded the entry and
    then advances pos->list.next reads &session->list, container_of()s
    back to the same session, and list_for_each_entry_rcu() never
    reaches the list head. The CPU stays in strcmp() inside the
    walker, with BH and preemption disabled, so RCU grace periods on
    the host stall behind it and the wedged thread cannot be killed
    (SIGKILL is delivered on syscall return).

    Use list_del_rcu() to match the existing list_add_rcu() in
    l2tp_session_register(); the deleted session remains visible to
    in-flight walkers with consistent next/prev pointers until
    kfree_rcu() in l2tp_session_free() releases it. tunnel->session_list
    has exactly one list_del_init() call site; the list_del_init
    (&session->clist) at l2tp_core.c:533 operates on the per-collision
    list, which is not walked under RCU. list_empty(&session->list) is
    not used anywhere in net/l2tp/ after the unhash point, so dropping
    the post-delete self-init is safe; the fix has no userspace-visible
    behavior change.

    Fixes: 89b768ec2dfef ("l2tp: use rcu list add/del when updating lists")
    Cc: stable@vger.kernel.org # 6.11+
    Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
    Link: https://patch.msgid.link/20260518183447.64078-1-michael.bommarito@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 157fc23ce4e1..1455f67e01dd 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1360,7 +1360,7 @@ static void l2tp_session_unhash(struct l2tp_session *session)
 		spin_lock_bh(&pn->l2tp_session_idr_lock);

 		/* Remove from the per-tunnel list */
-		list_del_init(&session->list);
+		list_del_rcu(&session->list);

 		/* Remove from per-net IDR */
 		if (tunnel->version == L2TP_HDR_VER_3) {