From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jianlin Shi <jishi@redhat.com>,
Sabrina Dubroca <sd@queasysnail.net>,
Guillaume Nault <g.nault@alphalink.fr>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 10/27] l2tp: fix race condition in l2tp_tunnel_delete
Date: Thu, 19 Oct 2017 15:49:16 +0200 [thread overview]
Message-ID: <20171019134845.239880747@linuxfoundation.org> (raw)
In-Reply-To: <20171019134844.523725420@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 62b982eeb4589b2e6d7c01a90590e3a4c2b2ca19 ]
If we try to delete the same tunnel twice, the first delete operation
does a lookup (l2tp_tunnel_get), finds the tunnel, calls
l2tp_tunnel_delete, which queues it for deletion by
l2tp_tunnel_del_work.
The second delete operation also finds the tunnel and calls
l2tp_tunnel_delete. If the workqueue has already fired and started
running l2tp_tunnel_del_work, then l2tp_tunnel_delete will queue the
same tunnel a second time, and try to free the socket again.
Add a dead flag to prevent firing the workqueue twice. Then we can
remove the check of queue_work's result that was meant to prevent that
race but doesn't.
Reproducer:
ip l2tp add tunnel tunnel_id 3000 peer_tunnel_id 4000 local 192.168.0.2 remote 192.168.0.1 encap udp udp_sport 5000 udp_dport 6000
ip l2tp add session name l2tp1 tunnel_id 3000 session_id 1000 peer_session_id 2000
ip link set l2tp1 up
ip l2tp del tunnel tunnel_id 3000
ip l2tp del tunnel tunnel_id 3000
Fixes: f8ccac0e4493 ("l2tp: put tunnel socket release on a workqueue")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/l2tp/l2tp_core.c | 10 ++++------
net/l2tp/l2tp_core.h | 5 ++++-
2 files changed, 8 insertions(+), 7 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1642,14 +1642,12 @@ EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
/* This function is used by the netlink TUNNEL_DELETE command.
*/
-int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
+void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
{
- l2tp_tunnel_inc_refcount(tunnel);
- if (false == queue_work(l2tp_wq, &tunnel->del_work)) {
- l2tp_tunnel_dec_refcount(tunnel);
- return 1;
+ if (!test_and_set_bit(0, &tunnel->dead)) {
+ l2tp_tunnel_inc_refcount(tunnel);
+ queue_work(l2tp_wq, &tunnel->del_work);
}
- return 0;
}
EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -169,6 +169,9 @@ struct l2tp_tunnel_cfg {
struct l2tp_tunnel {
int magic; /* Should be L2TP_TUNNEL_MAGIC */
+
+ unsigned long dead;
+
struct rcu_head rcu;
rwlock_t hlist_lock; /* protect session_hlist */
struct hlist_head session_hlist[L2TP_HASH_SIZE];
@@ -252,7 +255,7 @@ int l2tp_tunnel_create(struct net *net,
u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg,
struct l2tp_tunnel **tunnelp);
void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel);
-int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel);
+void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel);
struct l2tp_session *l2tp_session_create(int priv_size,
struct l2tp_tunnel *tunnel,
u32 session_id, u32 peer_session_id,
next prev parent reply other threads:[~2017-10-19 13:54 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-19 13:49 [PATCH 3.18 00/27] 3.18.77-stable review Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 01/27] x86/mm: Disable preemption during CR3 read+write Greg Kroah-Hartman
2017-10-19 13:49 ` Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 02/27] drm/dp/mst: save vcpi with payloads Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 03/27] ext4: avoid deadlock when expanding inode size Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 04/27] sctp: potential read out of bounds in sctp_ulpevent_type_enabled() Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 05/27] bpf/verifier: reject BPF_ALU64|BPF_END Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 06/27] packet: hold bind lock when rebinding to fanout hook Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 07/27] isdn/i4l: fetch the ppp_write buffer in one shot Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 08/27] vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 09/27] l2tp: Avoid schedule while atomic in exit_net Greg Kroah-Hartman
2017-10-19 13:49 ` Greg Kroah-Hartman [this message]
2017-10-19 13:49 ` [PATCH 3.18 11/27] packet: in packet_do_bind, test fanout with bind_lock held Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 12/27] net: Set sk_prot_creator when cloning sockets to the right proto Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 13/27] Revert "bsg-lib: dont free job in bsg_prepare_job" Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 15/27] watchdog: kempld: fix gcc-4.3 build Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 16/27] irqchip/crossbar: Fix incorrect type of local variables Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 17/27] netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 18/27] iio: adc: xilinx: Fix error handling Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 19/27] Btrfs: send, fix failure to rename top level inode due to name collision Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 20/27] net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 21/27] crypto: xts - Add ECB dependency Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 22/27] ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 23/27] scsi: scsi_dh_emc: return success in clariion_std_inquiry() Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 24/27] uapi: fix linux/rds.h userspace compilation errors Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 25/27] uapi: fix linux/mroute6.h " Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 26/27] target/iscsi: Fix unsolicited data seq_end_offset calculation Greg Kroah-Hartman
2017-10-19 13:49 ` [PATCH 3.18 27/27] Revert "tty: goldfish: Fix a parameter of a call to free_irq" Greg Kroah-Hartman
2017-10-20 13:04 ` [PATCH 3.18 00/27] 3.18.77-stable review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171019134845.239880747@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=g.nault@alphalink.fr \
--cc=jishi@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sd@queasysnail.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.