From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net v2] l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Date: Mon, 13 Aug 2018 08:49:02 -0700 (PDT) Message-ID: <20180813.084902.1760302474267227234.davem@davemloft.net> References: <20180810181456.76250-1-tracywwnj@gmail.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, kafai@fb.com, g.nault@alphalink.fr, dsahern@gmail.com, xiyou.wangcong@gmail.com To: weiwan@google.com Return-path: Received: from shards.monkeyblade.net ([23.128.96.9]:52812 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728658AbeHMSbu (ORCPT ); Mon, 13 Aug 2018 14:31:50 -0400 In-Reply-To: <20180810181456.76250-1-tracywwnj@gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Wei Wang Date: Fri, 10 Aug 2018 11:14:56 -0700 > From: Wei Wang > > In l2tp code, if it is a L2TP_UDP_ENCAP tunnel, tunnel->sk points to a > UDP socket. User could call sendmsg() on both this tunnel and the UDP > socket itself concurrently. As l2tp_xmit_skb() holds socket lock and call > __sk_dst_check() to refresh sk->sk_dst_cache, while udpv6_sendmsg() is > lockless and call sk_dst_check() to refresh sk->sk_dst_cache, there > could be a race and cause the dst cache to be freed multiple times. > So we fix l2tp side code to always call sk_dst_check() to garantee > xchg() is called when refreshing sk->sk_dst_cache to avoid race > conditions. > > Syzkaller reported stack trace: ... > > Fixes: 71b1391a4128 ("l2tp: ensure sk->dst is still valid") > Reported-by: syzbot+05f840f3b04f211bad55@syzkaller.appspotmail.com > Signed-off-by: Wei Wang > Signed-off-by: Martin KaFai Lau ... > --- > v1->v2: Removed dst_clone() as Guillaume Nault suggested Applied and queued up for -stable, thank you.