From: James Chapman <jchapman@katalix.com>
To: netdev@vger.kernel.org
Subject: [PATCH net 0/5] l2tp: fix API races discovered by syzbot
Date: Fri, 23 Feb 2018 17:45:42 +0000 [thread overview]
Message-ID: <1519407947-14861-1-git-send-email-jchapman@katalix.com> (raw)
This patch series addresses several races with L2TP APIs discovered by
syzbot. There are no functional changes.
The set of patches 1-5 in combination fix the following syzbot reports.
19c09769f WARNING in debug_print_object
347bd5acd KASAN: use-after-free Read in inet_shutdown
6e6a5ec8d general protection fault in pppol2tp_connect
9df43faf0 KASAN: use-after-free Read in pppol2tp_connect
My first attempts to fix these issues were as net-next patches but
the series included other refactoring and cleanup work. I was asked to
separate out the bugfixes and redo for the net tree, which is what
these patches are.
The changes are:
1. Fix inet_shutdown races when L2TP tunnels and sessions close. (patches 1-2)
2. Fix races with tunnel and its socket. (patch 3)
3. Fix race in pppol2tp_release with session and its socket. (patch 4)
4. Fix tunnel lookup use-after-free. (patch 5)
All of the syzbot reproducers hit races in the tunnel and pppol2tp
session create and destroy paths. These tests create and destroy
pppol2tp tunnels and sessions rapidly using multiple threads,
provoking races in several tunnel/session create/destroy paths. The
key problem was that each tunnel/session socket could be destroyed
while its associated tunnel/session object still existed (patches 3,
4). Patch 5 addresses a problem with the way tunnels are removed from
the tunnel list. Patch 5 is tagged that it addresses all four syzbot
issues, though all 5 patches are needed.
James Chapman (5):
l2tp: don't use inet_shutdown on tunnel destroy
l2tp: don't use inet_shutdown on ppp session destroy
l2tp: fix races with tunnel socket close
l2tp: fix race in pppol2tp_release with session object destroy
l2tp: fix tunnel lookup use-after-free race
net/l2tp/l2tp_core.c | 142 ++++++++++++++++-----------------------------------
net/l2tp/l2tp_core.h | 23 +--------
net/l2tp/l2tp_ip.c | 10 ++--
net/l2tp/l2tp_ip6.c | 8 ++-
net/l2tp/l2tp_ppp.c | 60 ++++++++++------------
5 files changed, 77 insertions(+), 166 deletions(-)
--
next reply other threads:[~2018-02-23 17:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-23 17:45 James Chapman [this message]
2018-02-23 17:45 ` [PATCH net 1/5] l2tp: don't use inet_shutdown on tunnel destroy James Chapman
2018-02-23 17:45 ` [PATCH net 2/5] l2tp: don't use inet_shutdown on ppp session destroy James Chapman
2018-02-23 17:45 ` [PATCH net 3/5] l2tp: fix races with tunnel socket close James Chapman
2018-02-23 17:45 ` [PATCH net 4/5] l2tp: fix race in pppol2tp_release with session object destroy James Chapman
2018-02-23 17:45 ` [PATCH net 5/5] l2tp: fix tunnel lookup use-after-free race James Chapman
2018-02-26 17:21 ` [PATCH net 0/5] l2tp: fix API races discovered by syzbot David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1519407947-14861-1-git-send-email-jchapman@katalix.com \
--to=jchapman@katalix.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).