From: David Miller <davem@davemloft.net>
To: jchapman@katalix.com
Cc: netdev@vger.kernel.org, kbuild-all@01.org
Subject: Re: [PATCH net-next v2 01/16] l2tp: update sk_user_data while holding sk_callback_lock
Date: Mon, 12 Feb 2018 11:21:29 -0500 (EST) [thread overview]
Message-ID: <20180212.112129.1458610223636502379.davem@davemloft.net> (raw)
In-Reply-To: <1518430280-16671-2-git-send-email-jchapman@katalix.com>
From: James Chapman <jchapman@katalix.com>
Date: Mon, 12 Feb 2018 10:11:05 +0000
> Since L2TP hooks on sockets opened by userspace using sk_user_data, we
> may race with other socket families that attempt to use the same
> socket.
>
> This problem was discovered by syzbot using AF_KCM. KCM has since been
> modified to use only TCP sockets to avoid hitting this issue but we
> should prevent such races in L2TP anyway.
>
> Fixes: c8fffcea0a079 ("l2tp: Refactor l2tp core driver to make use of the common UDP tunnel function")
> Reported-by: syzbot+8865eaff7f9acd593945@syzkaller.appspotmail.com
Yikes. Where is your signoff James?
> Kernel BUG at net/l2tp/l2tp_ppp.c:176!
> invalid opcode: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
> (ftrace buffer empty)
And this oops dump should be before the various
fixes/reported-by/signed-off-by tags.
Thanks.
next prev parent reply other threads:[~2018-02-12 16:21 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-12 10:11 [PATCH net-next v2 00/16] l2tp: fix API races discovered by syzbot James Chapman
2018-02-12 10:11 ` [PATCH net-next v2 01/16] l2tp: update sk_user_data while holding sk_callback_lock James Chapman
2018-02-12 16:21 ` David Miller [this message]
2018-02-12 18:33 ` Guillaume Nault
2018-02-12 10:11 ` [PATCH net-next v2 02/16] l2tp: add RCU read lock to protect tunnel ptr in ip socket destroy James Chapman
2018-02-12 16:22 ` David Miller
2018-02-12 18:35 ` Guillaume Nault
2018-02-12 10:11 ` [PATCH net-next v2 03/16] l2tp: don't use inet_shutdown on tunnel destroy James Chapman
2018-02-12 16:22 ` David Miller
2018-02-12 17:23 ` James Chapman
2018-02-12 18:41 ` Guillaume Nault
2018-02-12 10:11 ` [PATCH net-next v2 04/16] l2tp: refactor tunnel lifetime handling wrt its socket James Chapman
2018-02-12 18:48 ` Guillaume Nault
2018-02-15 8:23 ` kbuild test robot
2018-02-12 10:11 ` [PATCH net-next v2 05/16] l2tp: use tunnel closing flag James Chapman
2018-02-12 10:11 ` [PATCH net-next v2 06/16] l2tp: refactor session lifetime handling James Chapman
2018-02-12 10:11 ` [PATCH net-next v2 07/16] l2tp: hide sessions if they are closing James Chapman
2018-02-12 10:11 ` [PATCH net-next v2 08/16] l2tp: hide session from pppol2tp_sock_to_session if it is closing James Chapman
2018-02-12 10:11 ` [PATCH net-next v2 09/16] l2tp: refactor pppol2tp_connect James Chapman
2018-02-12 10:11 ` [PATCH net-next v2 10/16] l2tp: add session_free callback James Chapman
2018-02-12 10:11 ` [PATCH net-next v2 11/16] l2tp: do session destroy using a workqueue James Chapman
2018-02-12 10:11 ` [PATCH net-next v2 12/16] l2tp: simplify l2tp_tunnel_closeall James Chapman
2018-02-12 10:11 ` [PATCH net-next v2 13/16] l2tp: refactor ppp session cleanup paths James Chapman
2018-02-12 10:11 ` [PATCH net-next v2 14/16] l2tp: remove redundant sk_user_data check when creating tunnels James Chapman
2018-02-12 10:11 ` [PATCH net-next v2 15/16] l2tp: remove unwanted error message James Chapman
2018-02-12 10:11 ` [PATCH net-next v2 16/16] l2tp: make __l2tp_session_unhash internal James Chapman
2018-02-12 18:52 ` [PATCH net-next v2 00/16] l2tp: fix API races discovered by syzbot Guillaume Nault
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180212.112129.1458610223636502379.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=jchapman@katalix.com \
--cc=kbuild-all@01.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).