All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: Patch "l2tp: Serialize access to sk_user_data with sk_callback_lock" has been added to the 5.15-stable tree
       [not found] <20221121051216.2603260-1-sashal@kernel.org>
@ 2022-11-21  9:03 ` Jakub Sitnicki
  0 siblings, 0 replies; only message in thread
From: Jakub Sitnicki @ 2022-11-21  9:03 UTC (permalink / raw)
  To: stable, Sasha Levin
  Cc: stable-commits, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni

On Mon, Nov 21, 2022 at 12:12 AM -05, Sasha Levin wrote:
> This is a note to let you know that I've just added the patch titled
>
>     l2tp: Serialize access to sk_user_data with sk_callback_lock
>
> to the 5.15-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>
> The filename of the patch is:
>      l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch
> and it can be found in the queue-5.15 subdirectory.
>
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.

Please don't add the commit below to stable tree, yet.
We have a fix-up for it under review:

https://lore.kernel.org/netdev/20221121085426.21315-1-jakub@cloudflare.com/

> commit 92aa1132edc6e6e912efd056c698cd6e52b83c6f
> Author: Jakub Sitnicki <jakub@cloudflare.com>
> Date:   Mon Nov 14 20:16:19 2022 +0100
>
>     l2tp: Serialize access to sk_user_data with sk_callback_lock
>     
>     [ Upstream commit b68777d54fac21fc833ec26ea1a2a84f975ab035 ]
>     
>     sk->sk_user_data has multiple users, which are not compatible with each
>     other. Writers must synchronize by grabbing the sk->sk_callback_lock.
>     
>     l2tp currently fails to grab the lock when modifying the underlying tunnel
>     socket fields. Fix it by adding appropriate locking.
>     
>     We err on the side of safety and grab the sk_callback_lock also inside the
>     sk_destruct callback overridden by l2tp, even though there should be no
>     refs allowing access to the sock at the time when sk_destruct gets called.
>     
>     v4:
>     - serialize write to sk_user_data in l2tp sk_destruct
>     
>     v3:
>     - switch from sock lock to sk_callback_lock
>     - document write-protection for sk_user_data
>     
>     v2:
>     - update Fixes to point to origin of the bug
>     - use real names in Reported/Tested-by tags
>     
>     Cc: Tom Parkin <tparkin@katalix.com>
>     Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
>     Reported-by: Haowei Yan <g1042620637@gmail.com>
>     Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
>     Signed-off-by: David S. Miller <davem@davemloft.net>
>     Signed-off-by: Sasha Levin <sashal@kernel.org>
>
> diff --git a/include/net/sock.h b/include/net/sock.h
> index e1a303e4f0f7..3e9db5146765 100644
> --- a/include/net/sock.h
> +++ b/include/net/sock.h
> @@ -323,7 +323,7 @@ struct bpf_local_storage;
>    *	@sk_tskey: counter to disambiguate concurrent tstamp requests
>    *	@sk_zckey: counter to order MSG_ZEROCOPY notifications
>    *	@sk_socket: Identd and reporting IO signals
> -  *	@sk_user_data: RPC layer private data
> +  *	@sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock.
>    *	@sk_frag: cached page frag
>    *	@sk_peek_off: current peek_offset value
>    *	@sk_send_head: front of stuff to transmit
> diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
> index 93271a2632b8..c77032638a06 100644
> --- a/net/l2tp/l2tp_core.c
> +++ b/net/l2tp/l2tp_core.c
> @@ -1150,8 +1150,10 @@ static void l2tp_tunnel_destruct(struct sock *sk)
>  	}
>  
>  	/* Remove hooks into tunnel socket */
> +	write_lock_bh(&sk->sk_callback_lock);
>  	sk->sk_destruct = tunnel->old_sk_destruct;
>  	sk->sk_user_data = NULL;
> +	write_unlock_bh(&sk->sk_callback_lock);
>  
>  	/* Call the original destructor */
>  	if (sk->sk_destruct)
> @@ -1471,16 +1473,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
>  		sock = sockfd_lookup(tunnel->fd, &ret);
>  		if (!sock)
>  			goto err;
> -
> -		ret = l2tp_validate_socket(sock->sk, net, tunnel->encap);
> -		if (ret < 0)
> -			goto err_sock;
>  	}
>  
> +	sk = sock->sk;
> +	write_lock(&sk->sk_callback_lock);
> +
> +	ret = l2tp_validate_socket(sk, net, tunnel->encap);
> +	if (ret < 0)
> +		goto err_sock;
> +
>  	tunnel->l2tp_net = net;
>  	pn = l2tp_pernet(net);
>  
> -	sk = sock->sk;
>  	sock_hold(sk);
>  	tunnel->sock = sk;
>  
> @@ -1506,7 +1510,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
>  
>  		setup_udp_tunnel_sock(net, sock, &udp_cfg);
>  	} else {
> -		sk->sk_user_data = tunnel;
> +		rcu_assign_sk_user_data(sk, tunnel);
>  	}
>  
>  	tunnel->old_sk_destruct = sk->sk_destruct;
> @@ -1520,6 +1524,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
>  	if (tunnel->fd >= 0)
>  		sockfd_put(sock);
>  
> +	write_unlock(&sk->sk_callback_lock);
>  	return 0;
>  
>  err_sock:
> @@ -1527,6 +1532,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
>  		sock_release(sock);
>  	else
>  		sockfd_put(sock);
> +
> +	write_unlock(&sk->sk_callback_lock);
>  err:
>  	return ret;
>  }


^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2022-11-21  9:05 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20221121051216.2603260-1-sashal@kernel.org>
2022-11-21  9:03 ` Patch "l2tp: Serialize access to sk_user_data with sk_callback_lock" has been added to the 5.15-stable tree Jakub Sitnicki

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.