From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
"David S. Miller" <davem@davemloft.net>,
"Guillaume Nault" <g.nault@alphalink.fr>
Subject: [PATCH 3.2 21/79] l2tp: initialise PPP sessions before registering them
Date: Sun, 11 Feb 2018 04:20:06 +0000 [thread overview]
Message-ID: <lsq.1518322806.472433265@decadent.org.uk> (raw)
In-Reply-To: <lsq.1518322802.943358572@decadent.org.uk>
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <g.nault@alphalink.fr>
commit f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c upstream.
pppol2tp_connect() initialises L2TP sessions after they've been exposed
to the rest of the system by l2tp_session_register(). This puts
sessions into transient states that are the source of several races, in
particular with session's deletion path.
This patch centralises the initialisation code into
pppol2tp_session_init(), which is called before the registration phase.
The only field that can't be set before session registration is the
pppol2tp socket pointer, which has already been converted to RCU. So
pppol2tp_connect() should now be race-free.
The session's .session_close() callback is now set before registration.
Therefore, it's always called when l2tp_core deletes the session, even
if it was created by pppol2tp_session_create() and hasn't been plugged
to a pppol2tp socket yet. That'd prevent session free because the extra
reference taken by pppol2tp_session_close() wouldn't be dropped by the
socket's ->sk_destruct() callback (pppol2tp_session_destruct()).
We could set .session_close() only while connecting a session to its
pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a
reference when the session isn't connected, but that'd require adding
some form of synchronisation to be race free.
Instead of that, we can just let the pppol2tp socket hold a reference
on the session as soon as it starts depending on it (that is, in
pppol2tp_connect()). Then we don't need to utilise
pppol2tp_session_close() to hold a reference at the last moment to
prevent l2tp_core from dropping it.
When releasing the socket, pppol2tp_release() now deletes the session
using the standard l2tp_session_delete() function, instead of merely
removing it from hash tables. l2tp_session_delete() drops the reference
the sessions holds on itself, but also makes sure it doesn't remove a
session twice. So it can safely be called, even if l2tp_core already
tried, or is concurrently trying, to remove the session.
Finally, pppol2tp_session_destruct() drops the reference held by the
socket.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_ppp.c | 69 +++++++++++++++++++++++++++++------------------------
1 file changed, 38 insertions(+), 31 deletions(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -478,9 +478,6 @@ static void pppol2tp_session_close(struc
inet_shutdown(sk->sk_socket, SEND_SHUTDOWN);
sock_put(sk);
}
-
- /* Don't let the session go away before our socket does */
- l2tp_session_inc_refcount(session);
return;
}
@@ -541,7 +538,7 @@ static int pppol2tp_release(struct socke
if (session != NULL) {
struct pppol2tp_session *ps;
- l2tp_session_queue_purge(session);
+ l2tp_session_delete(session);
ps = l2tp_session_priv(session);
mutex_lock(&ps->sk_lock);
@@ -636,6 +633,35 @@ static void pppol2tp_show(struct seq_fil
}
#endif
+static void pppol2tp_session_init(struct l2tp_session *session)
+{
+ struct pppol2tp_session *ps;
+ struct dst_entry *dst;
+
+ session->recv_skb = pppol2tp_recv;
+ session->session_close = pppol2tp_session_close;
+#if IS_ENABLED(CONFIG_L2TP_DEBUGFS)
+ session->show = pppol2tp_show;
+#endif
+
+ ps = l2tp_session_priv(session);
+ mutex_init(&ps->sk_lock);
+ ps->tunnel_sock = session->tunnel->sock;
+ ps->owner = current->pid;
+
+ /* If PMTU discovery was enabled, use the MTU that was discovered */
+ dst = sk_dst_get(session->tunnel->sock);
+ if (dst) {
+ u32 pmtu = dst_mtu(dst);
+
+ if (pmtu) {
+ session->mtu = pmtu - PPPOL2TP_HEADER_OVERHEAD;
+ session->mru = pmtu - PPPOL2TP_HEADER_OVERHEAD;
+ }
+ dst_release(dst);
+ }
+}
+
/* connect() handler. Attach a PPPoX socket to a tunnel UDP socket
*/
static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
@@ -648,7 +674,6 @@ static int pppol2tp_connect(struct socke
struct l2tp_session *session = NULL;
struct l2tp_tunnel *tunnel;
struct pppol2tp_session *ps;
- struct dst_entry *dst;
struct l2tp_session_cfg cfg = { 0, };
int error = 0;
u32 tunnel_id, peer_tunnel_id;
@@ -772,8 +797,8 @@ static int pppol2tp_connect(struct socke
goto end;
}
+ pppol2tp_session_init(session);
ps = l2tp_session_priv(session);
- mutex_init(&ps->sk_lock);
l2tp_session_inc_refcount(session);
mutex_lock(&ps->sk_lock);
@@ -786,26 +811,6 @@ static int pppol2tp_connect(struct socke
drop_refcnt = true;
}
- ps->owner = current->pid;
- ps->tunnel_sock = tunnel->sock;
-
- session->recv_skb = pppol2tp_recv;
- session->session_close = pppol2tp_session_close;
-#if defined(CONFIG_L2TP_DEBUGFS) || defined(CONFIG_L2TP_DEBUGFS_MODULE)
- session->show = pppol2tp_show;
-#endif
-
- /* If PMTU discovery was enabled, use the MTU that was discovered */
- dst = sk_dst_get(tunnel->sock);
- if (dst != NULL) {
- u32 pmtu = dst_mtu(dst);
-
- if (pmtu != 0)
- session->mtu = session->mru = pmtu -
- PPPOL2TP_HEADER_OVERHEAD;
- dst_release(dst);
- }
-
/* Special case: if source & dest session_id == 0x0000, this
* socket is being created to manage the tunnel. Just set up
* the internal context for use by ioctl() and sockopt()
@@ -839,6 +844,12 @@ out_no_ppp:
rcu_assign_pointer(ps->sk, sk);
mutex_unlock(&ps->sk_lock);
+ /* Keep the reference we've grabbed on the session: sk doesn't expect
+ * the session to disappear. pppol2tp_session_destruct() is responsible
+ * for dropping it.
+ */
+ drop_refcnt = false;
+
sk->sk_state = PPPOX_CONNECTED;
PRINTK(session->debug, PPPOL2TP_MSG_CONTROL, KERN_INFO,
"%s: created\n", session->name);
@@ -862,7 +873,6 @@ static int pppol2tp_session_create(struc
{
int error;
struct l2tp_session *session;
- struct pppol2tp_session *ps;
/* Error if tunnel socket is not prepped */
if (!tunnel->sock) {
@@ -885,9 +895,7 @@ static int pppol2tp_session_create(struc
goto err;
}
- ps = l2tp_session_priv(session);
- mutex_init(&ps->sk_lock);
- ps->tunnel_sock = tunnel->sock;
+ pppol2tp_session_init(session);
error = l2tp_session_register(session, tunnel);
if (error < 0)
next prev parent reply other threads:[~2018-02-11 4:20 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-11 4:20 [PATCH 3.2 00/79] 3.2.99-rc1 review Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 24/79] isofs: fix timestamps beyond 2027 Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 56/79] ALSA: usb-audio: Fix potential out-of-bound access at parsing SU Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 61/79] netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 58/79] ALSA: usb-audio: Add sanity checks in v2 clock parsers Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 53/79] nilfs2: fix race condition that causes file system corruption Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 37/79] IB/mlx4: Increase maximal message size under UD QP Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 30/79] kprobes, x86/alternatives: Use text_mutex to protect smp_alt_modules Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 75/79] usbip: prevent vhci_hcd driver from leaking a socket pointer address Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 40/79] s390/disassembler: increase show_code buffer size Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 18/79] l2tp: don't register sessions in l2tp_session_create() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 79/79] kaiser: Set _PAGE_NX only if supported Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 03/79] rtc: set the alarm to the next expiring timer Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 63/79] netfilter: xt_TCPMSS: Fix missing fragmentation handling Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 57/79] ALSA: usb-audio: Fix potential zero-division at parsing FU Ben Hutchings
2018-02-12 6:59 ` Takashi Iwai
2018-02-13 18:28 ` Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 67/79] RDS: Heap OOB write in rds_message_alloc_sgs() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 15/79] l2tp: purge session reorder queue on delete Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 66/79] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 68/79] RDS: null pointer dereference in rds_atomic_free_op Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 08/79] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 70/79] staging: usbip: removed #if 0'd out code Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 36/79] blktrace: fix unlocked access to init/start-stop/teardown Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 72/79] usb: add helper to extract bits 12:11 of wMaxPacketSize Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 65/79] netfilter: xt_TCPMSS: correct return value in tcpmss_mangle_packet Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 11/79] tpm-dev-common: Reject too short writes Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 34/79] dm: fix race between dm_get_from_kobject() and __dm_destroy() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 64/79] netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 77/79] [media] cx231xx: Fix the max number of interfaces Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 51/79] autofs: don't fail mount for transient error Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 62/79] netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 06/79] USB: serial: garmin_gps: fix memory leak on probe errors Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 20/79] l2tp: protect sock pointer of struct pppol2tp_session with RCU Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 60/79] x86/decoder: Add new TEST instruction pattern Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 69/79] ALSA: seq: Make ioctls race-free Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 04/79] PCI/AER: Report non-fatal errors only to the affected endpoint Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 14/79] l2tp: add session reorder queue purge function to core Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 43/79] net/sctp: Always set scope_id in sctp_inet6_skb_msgname Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 45/79] dm bufio: fix integer overflow when limiting maximum cache size Ben Hutchings
2018-02-11 4:20 ` Ben Hutchings [this message]
2018-02-11 4:20 ` [PATCH 3.2 16/79] l2tp: push all ppp pseudowire shutdown through .release handler Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 10/79] IB/srp: Avoid that a cable pull can trigger a kernel crash Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 46/79] KVM: vmx: Inject #GP on invalid PAT CR Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 19/79] l2tp: initialise l2tp_eth sessions before registering them Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 12/79] fs/9p: Compare qid.path in v9fs_test_inode Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 54/79] ALSA: timer: Remove kernel warning at compat ioctl error paths Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 41/79] sctp: Fixup v4mapped behaviour to comply with Sock API Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 26/79] coda: fix 'kernel memory exposure attempt' in fsync Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 07/79] media: rc: check for integer overflow Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 76/79] usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 32/79] video: udlfb: Fix read EDID timeout Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 28/79] media: Don't do DMA on stack for firmware upload in the AS102 driver Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 13/79] net/9p: Switch to wait_event_killable() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 01/79] Input: adxl34x - do not treat FIFO_MODE() as boolean Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 74/79] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 71/79] usbip: Fix sscanf handling Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 17/79] l2tp: ensure sessions are freed after their PPPOL2TP socket Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 35/79] blktrace: Fix potential deadlock between delete & sysfs ops Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 25/79] USB: Add delay-init quirk for Corsair K70 LUX keyboards Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 49/79] autofs4: autofs4_wait() vs. autofs4_catatonic_mode() race Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 55/79] ALSA: usb-audio: Add sanity checks to FE parser Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 47/79] KVM: SVM: obey guest PAT Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 42/79] sctp: fully initialize the IPv6 address in sctp_v6_to_addr() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 73/79] usbip: fix stub_rx: get_pipe() to validate endpoint number Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 78/79] kaiser: Set _PAGE_NX only if supported Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 48/79] nfs: Fix ugly referral attributes Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 22/79] media: omap_vout: Fix a possible null pointer dereference in omap_vout_open() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 59/79] ALSA: hda: Add Raven PCI ID Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 31/79] USB: usbfs: compute urb->actual_length for isochronous Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 09/79] scsi: bfa: integer overflow in debugfs Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 50/79] autofs4: catatonic_mode vs. notify_daemon race Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 29/79] x86/smp: Don't ever patch back to UP if we unplug cpus Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 44/79] dm: discard support requires all targets in a table support discards Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 38/79] ocfs2: fix issue that ocfs2_setattr() does not deal with new_i_size==i_size Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 52/79] autofs: fix careless error in recent commit Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 39/79] ocfs2: should wait dio before inode lock in ocfs2_setattr() Ben Hutchings
2018-02-11 7:39 ` alex chen
2018-02-11 18:01 ` Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 23/79] mtd: nand: Fix writing mtdoops to nand flash Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 33/79] rt2x00usb: mark device removed when get ENOENT usb error Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 27/79] eCryptfs: use after free in ecryptfs_release_messaging() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 02/79] rtc: interface: ignore expired timers when enqueuing new timers Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 05/79] USB: serial: garmin_gps: fix I/O after failed probe and remove Ben Hutchings
2018-02-11 11:18 ` [PATCH 3.2 00/79] 3.2.99-rc1 review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1518322806.472433265@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=g.nault@alphalink.fr \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox