From: Guillaume Nault <g.nault@alphalink.fr>
To: netdev@vger.kernel.org
Cc: James Chapman <jchapman@katalix.com>, Bill Hong <bhong@brocade.com>
Subject: [PATCH net 0/5] l2tp: fix usage of l2tp_session_find()
Date: Fri, 31 Mar 2017 13:02:23 +0200 [thread overview]
Message-ID: <cover.1490955471.git.g.nault@alphalink.fr> (raw)
l2tp_session_find() doesn't take a reference on the session returned to
its caller. Virtually all l2tp_session_find() users are racy, either
because the session can disappear from under them or because they take
a reference too late. This leads to bugs like 'use after free' or
failure to notice duplicate session creations.
In some cases, taking a reference on the session is not enough. The
special callbacks .ref() and .deref() also have to be called in cases
where the PPP pseudo-wire uses the socket associated with the session.
Therefore, when looking up a session, we also have to pass a flag
indicating if the .ref() callback has to be called.
In the future, we probably could drop the .ref() and .deref() callbacks
entirely by protecting the .sock field of struct pppol2tp_session with
RCU, thus allowing it to be freed and set to NULL even if the L2TP
session is still alive.
Guillaume Nault (5):
l2tp: fix race in l2tp_recv_common()
l2tp: ensure session can't get removed during pppol2tp_session_ioctl()
l2tp: fix duplicate session creation
l2tp: hold session while sending creation notifications
l2tp: take a reference on sessions used in genetlink handlers
net/l2tp/l2tp_core.c | 152 ++++++++++++++++++++++++++++++++++++++----------
net/l2tp/l2tp_core.h | 6 +-
net/l2tp/l2tp_eth.c | 10 +---
net/l2tp/l2tp_ip.c | 17 ++++--
net/l2tp/l2tp_ip6.c | 18 ++++--
net/l2tp/l2tp_netlink.c | 45 +++++++++-----
net/l2tp/l2tp_ppp.c | 75 +++++++++++++-----------
7 files changed, 222 insertions(+), 101 deletions(-)
--
2.11.0
next reply other threads:[~2017-03-31 11:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-31 11:02 Guillaume Nault [this message]
2017-03-31 11:02 ` [PATCH net 1/5] l2tp: fix race in l2tp_recv_common() Guillaume Nault
2017-03-31 11:02 ` [PATCH net 2/5] l2tp: ensure session can't get removed during pppol2tp_session_ioctl() Guillaume Nault
2017-03-31 11:02 ` [PATCH net 3/5] l2tp: fix duplicate session creation Guillaume Nault
2017-03-31 11:02 ` [PATCH net 4/5] l2tp: hold session while sending creation notifications Guillaume Nault
2017-03-31 11:02 ` [PATCH net 5/5] l2tp: take a reference on sessions used in genetlink handlers Guillaume Nault
2017-03-31 17:27 ` Guillaume Nault
2017-04-02 3:17 ` [PATCH net 0/5] l2tp: fix usage of l2tp_session_find() David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1490955471.git.g.nault@alphalink.fr \
--to=g.nault@alphalink.fr \
--cc=bhong@brocade.com \
--cc=jchapman@katalix.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).