From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net 1/3] l2tp: hold reference on tunnels in netlink dumps Date: Fri, 13 Apr 2018 10:57:03 -0400 (EDT) Message-ID: <20180413.105703.352607094166315307.davem@davemloft.net> References: Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, jchapman@katalix.com To: g.nault@alphalink.fr Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:42390 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750761AbeDMO5F (ORCPT ); Fri, 13 Apr 2018 10:57:05 -0400 In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: From: Guillaume Nault Date: Thu, 12 Apr 2018 20:50:33 +0200 > l2tp_tunnel_find_nth() is unsafe: no reference is held on the returned > tunnel, therefore it can be freed whenever the caller uses it. > This patch defines l2tp_tunnel_get_nth() which works similarly, but > also takes a reference on the returned tunnel. The caller then has to > drop it after it stops using the tunnel. > > Convert netlink dumps to make them safe against concurrent tunnel > deletion. > > Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") > Signed-off-by: Guillaume Nault During the entire invocation of l2tp_nl_cmd_tunnel_dump(), the RTNL mutex is held. Therefore no tunnel configuration changes may occur and the tunnel object will persist and is safe to access. The netlink dump should be safe as-is. Were you actually able to trigger a crash or KASAN warning or is this purely from code inspection?