From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx3-rdu2.redhat.com ([66.187.233.73]:35836 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752337AbeCLIxV (ORCPT ); Mon, 12 Mar 2018 04:53:21 -0400 Message-ID: <1520844798.2585.13.camel@redhat.com> Subject: Re: [PATCH net v2 2/2] l2tp: fix races with ipv4-mapped ipv6 addresses From: Paolo Abeni To: Guillaume Nault Cc: netdev@vger.kernel.org, "David S. Miller" , James Chapman , Wei Wang , David Ahern Date: Mon, 12 Mar 2018 09:53:18 +0100 In-Reply-To: <20180309182634.GF1351@alphalink.fr> References: <976644da07bf409c9b4463cf74f1a1981daa0b49.1520587816.git.pabeni@redhat.com> <20180309164326.GD1351@alphalink.fr> <1520615043.2802.39.camel@redhat.com> <20180309174750.GE1351@alphalink.fr> <1520618280.2802.50.camel@redhat.com> <20180309182634.GF1351@alphalink.fr> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: netdev-owner@vger.kernel.org List-ID: On Fri, 2018-03-09 at 19:26 +0100, Guillaume Nault wrote: > On Fri, Mar 09, 2018 at 06:58:00PM +0100, Paolo Abeni wrote: > > The single threaded reproducer does not trigger anymore after 1/2, > > _but_ if ask syzbot to test 1/2 that will trigger another splat, > > because syzbot will do also multi threaded tests and we will hit the > > race between connect(tunnel->fd) and l2tp_tunnel_create(), > > > > Ok, and this case is handled by the sk_state test in l2tp_xmit_skb(), > right? We need both such test and checking for v4mapped address in l2tp_xmit_skb() > I just want to be sure that I didn't miss anything and that patch 1/2 > combined with the socket state check in l2tp_xmit_skb() are enough to > fix the bug. And that overriding ->inet_*addr can be removed entirely > (and safely!). I tested the above in vs the repro and in some real use case, but any additinal pair of eyes are welcome! I'll send v3 soon. Cheers, Paolo