CVE-2026-53262

In the Linux kernel, the following vulnerability has been resolved:

l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()

pppol2tpioctl() read sock->sk->skuserdata directly without any locks or reference counting. If a controllable sleep was induced during copyfromuser() (e.g. via a userfaultfd page fault sleep), a concurrent socket close could trigger pppol2tpsessionclose() asynchronously. This frees the l2tpsession structure via the l2tpsessiondel_work workqueue. Upon resuming, the ioctl thread dereferences the stale session pointer, resulting in a Use-After-Free (UAF).

Fix this by securely fetching the session reference using the RCU-safe, refcounted helper pppol2tpsocktosession(sk) on entry. This locks the session's refcount across the sleep. We structured the function to exit via standard err breaks, guaranteeing that l2tpsession_put() is cleanly called on all return paths to drop the reference.

To preserve existing behavior we validate the session and its magic signature only for the specific L2TP commands that require it. This ensures that generic/unknown ioctls called on an unconnected socket still return -ENOIOCTLCMD and correctly fall back to generic handlers (e.g. in sockdoioctl()).