From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
"David S. Miller" <davem@davemloft.net>,
"Guillaume Nault" <g.nault@alphalink.fr>
Subject: [PATCH 3.2 18/79] l2tp: don't register sessions in l2tp_session_create()
Date: Sun, 11 Feb 2018 04:20:06 +0000 [thread overview]
Message-ID: <lsq.1518322806.595736709@decadent.org.uk> (raw)
In-Reply-To: <lsq.1518322802.943358572@decadent.org.uk>
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <g.nault@alphalink.fr>
commit 3953ae7b218df4d1e544b98a393666f9ae58a78c upstream.
Sessions created by l2tp_session_create() aren't fully initialised:
some pseudo-wire specific operations need to be done before making the
session usable. Therefore the PPP and Ethernet pseudo-wires continue
working on the returned l2tp session while it's already been exposed to
the rest of the system.
This can lead to various issues. In particular, the session may enter
the deletion process before having been fully initialised, which will
confuse the session removal code.
This patch moves session registration out of l2tp_session_create(), so
that callers can control when the session is exposed to the rest of the
system. This is done by the new l2tp_session_register() function.
Only pppol2tp_session_create() can be easily converted to avoid
modifying its session after registration (the debug message is dropped
in order to avoid the need for holding a reference on the session).
For pppol2tp_connect() and l2tp_eth_create()), more work is needed.
That'll be done in followup patches. For now, let's just register the
session right after its creation, like it was done before. The only
difference is that we can easily take a reference on the session before
registering it, so, at least, we're sure it's not going to be freed
while we're working on it.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_core.c | 21 +++++++--------------
net/l2tp/l2tp_core.h | 3 +++
net/l2tp/l2tp_eth.c | 9 +++++++++
net/l2tp/l2tp_ppp.c | 23 +++++++++++++++++------
4 files changed, 36 insertions(+), 20 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -327,8 +327,8 @@ struct l2tp_session *l2tp_session_get_by
}
EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
-static int l2tp_session_add_to_tunnel(struct l2tp_tunnel *tunnel,
- struct l2tp_session *session)
+int l2tp_session_register(struct l2tp_session *session,
+ struct l2tp_tunnel *tunnel)
{
struct l2tp_session *session_walk;
struct hlist_head *g_head;
@@ -377,6 +377,10 @@ static int l2tp_session_add_to_tunnel(st
hlist_add_head(&session->hlist, head);
write_unlock_bh(&tunnel->hlist_lock);
+ /* Ignore management session in session count value */
+ if (session->session_id != 0)
+ atomic_inc(&l2tp_session_count);
+
return 0;
err_tlock_pnlock:
@@ -386,6 +390,7 @@ err_tlock:
return err;
}
+EXPORT_SYMBOL_GPL(l2tp_session_register);
/* Lookup a tunnel by id
*/
@@ -1703,7 +1708,6 @@ static void l2tp_session_set_header_len(
struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
{
struct l2tp_session *session;
- int err;
session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
if (session != NULL) {
@@ -1752,17 +1756,6 @@ struct l2tp_session *l2tp_session_create
l2tp_session_inc_refcount(session);
- err = l2tp_session_add_to_tunnel(tunnel, session);
- if (err) {
- kfree(session);
-
- return ERR_PTR(err);
- }
-
- /* Ignore management session in session count value */
- if (session->session_id != 0)
- atomic_inc(&l2tp_session_count);
-
return session;
}
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -246,6 +246,8 @@ extern struct l2tp_tunnel *l2tp_tunnel_f
extern int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp);
extern int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel);
extern struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg);
+int l2tp_session_register(struct l2tp_session *session,
+ struct l2tp_tunnel *tunnel);
extern int l2tp_session_delete(struct l2tp_session *session);
extern void l2tp_session_free(struct l2tp_session *session);
extern void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, unsigned char *ptr, unsigned char *optr, u16 hdrflags, int length, int (*payload_hook)(struct sk_buff *skb));
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -194,6 +194,13 @@ static int l2tp_eth_create(struct net *n
goto out;
}
+ l2tp_session_inc_refcount(session);
+ rc = l2tp_session_register(session, tunnel);
+ if (rc < 0) {
+ kfree(session);
+ goto out;
+ }
+
dev = alloc_netdev(sizeof(*priv), name, l2tp_eth_dev_setup);
if (!dev) {
rc = -ENOMEM;
@@ -227,6 +234,7 @@ static int l2tp_eth_create(struct net *n
__module_get(THIS_MODULE);
/* Must be done after register_netdev() */
strlcpy(session->ifname, dev->name, IFNAMSIZ);
+ l2tp_session_dec_refcount(session);
dev_hold(dev);
@@ -237,6 +245,7 @@ out_del_dev:
spriv->dev = NULL;
out_del_session:
l2tp_session_delete(session);
+ l2tp_session_dec_refcount(session);
out:
return rc;
}
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -734,6 +734,14 @@ static int pppol2tp_connect(struct socke
error = PTR_ERR(session);
goto end;
}
+
+ l2tp_session_inc_refcount(session);
+ error = l2tp_session_register(session, tunnel);
+ if (error < 0) {
+ kfree(session);
+ goto end;
+ }
+ drop_refcnt = true;
}
/* Associate session with its PPPoL2TP socket */
@@ -821,7 +829,7 @@ static int pppol2tp_session_create(struc
/* Error if tunnel socket is not prepped */
if (!tunnel->sock) {
error = -ENOENT;
- goto out;
+ goto err;
}
/* Default MTU values. */
@@ -836,18 +844,21 @@ static int pppol2tp_session_create(struc
peer_session_id, cfg);
if (IS_ERR(session)) {
error = PTR_ERR(session);
- goto out;
+ goto err;
}
ps = l2tp_session_priv(session);
ps->tunnel_sock = tunnel->sock;
- PRINTK(session->debug, PPPOL2TP_MSG_CONTROL, KERN_INFO,
- "%s: created\n", session->name);
-
- error = 0;
-
-out:
+ error = l2tp_session_register(session, tunnel);
+ if (error < 0)
+ goto err_sess;
+
+ return 0;
+
+err_sess:
+ kfree(session);
+err:
return error;
}
next prev parent reply other threads:[~2018-02-11 4:20 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-11 4:20 [PATCH 3.2 00/79] 3.2.99-rc1 review Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 67/79] RDS: Heap OOB write in rds_message_alloc_sgs() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 57/79] ALSA: usb-audio: Fix potential zero-division at parsing FU Ben Hutchings
2018-02-12 6:59 ` Takashi Iwai
2018-02-13 18:28 ` Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 36/79] blktrace: fix unlocked access to init/start-stop/teardown Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 70/79] staging: usbip: removed #if 0'd out code Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 08/79] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 68/79] RDS: null pointer dereference in rds_atomic_free_op Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 66/79] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 15/79] l2tp: purge session reorder queue on delete Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 40/79] s390/disassembler: increase show_code buffer size Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 75/79] usbip: prevent vhci_hcd driver from leaking a socket pointer address Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 30/79] kprobes, x86/alternatives: Use text_mutex to protect smp_alt_modules Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 58/79] ALSA: usb-audio: Add sanity checks in v2 clock parsers Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 37/79] IB/mlx4: Increase maximal message size under UD QP Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 53/79] nilfs2: fix race condition that causes file system corruption Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 56/79] ALSA: usb-audio: Fix potential out-of-bound access at parsing SU Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 61/79] netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 24/79] isofs: fix timestamps beyond 2027 Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 63/79] netfilter: xt_TCPMSS: Fix missing fragmentation handling Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 03/79] rtc: set the alarm to the next expiring timer Ben Hutchings
2018-02-11 4:20 ` Ben Hutchings [this message]
2018-02-11 4:20 ` [PATCH 3.2 79/79] kaiser: Set _PAGE_NX only if supported Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 60/79] x86/decoder: Add new TEST instruction pattern Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 20/79] l2tp: protect sock pointer of struct pppol2tp_session with RCU Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 06/79] USB: serial: garmin_gps: fix memory leak on probe errors Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 62/79] netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 51/79] autofs: don't fail mount for transient error Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 45/79] dm bufio: fix integer overflow when limiting maximum cache size Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 21/79] l2tp: initialise PPP sessions before registering them Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 43/79] net/sctp: Always set scope_id in sctp_inet6_skb_msgname Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 14/79] l2tp: add session reorder queue purge function to core Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 04/79] PCI/AER: Report non-fatal errors only to the affected endpoint Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 69/79] ALSA: seq: Make ioctls race-free Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 11/79] tpm-dev-common: Reject too short writes Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 72/79] usb: add helper to extract bits 12:11 of wMaxPacketSize Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 65/79] netfilter: xt_TCPMSS: correct return value in tcpmss_mangle_packet Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 77/79] [media] cx231xx: Fix the max number of interfaces Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 64/79] netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 34/79] dm: fix race between dm_get_from_kobject() and __dm_destroy() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 49/79] autofs4: autofs4_wait() vs. autofs4_catatonic_mode() race Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 25/79] USB: Add delay-init quirk for Corsair K70 LUX keyboards Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 35/79] blktrace: Fix potential deadlock between delete & sysfs ops Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 17/79] l2tp: ensure sessions are freed after their PPPOL2TP socket Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 71/79] usbip: Fix sscanf handling Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 74/79] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 78/79] kaiser: Set _PAGE_NX only if supported Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 73/79] usbip: fix stub_rx: get_pipe() to validate endpoint number Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 47/79] KVM: SVM: obey guest PAT Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 42/79] sctp: fully initialize the IPv6 address in sctp_v6_to_addr() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 55/79] ALSA: usb-audio: Add sanity checks to FE parser Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 54/79] ALSA: timer: Remove kernel warning at compat ioctl error paths Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 12/79] fs/9p: Compare qid.path in v9fs_test_inode Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 19/79] l2tp: initialise l2tp_eth sessions before registering them Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 46/79] KVM: vmx: Inject #GP on invalid PAT CR Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 16/79] l2tp: push all ppp pseudowire shutdown through .release handler Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 10/79] IB/srp: Avoid that a cable pull can trigger a kernel crash Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 01/79] Input: adxl34x - do not treat FIFO_MODE() as boolean Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 13/79] net/9p: Switch to wait_event_killable() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 28/79] media: Don't do DMA on stack for firmware upload in the AS102 driver Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 32/79] video: udlfb: Fix read EDID timeout Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 76/79] usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 26/79] coda: fix 'kernel memory exposure attempt' in fsync Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 07/79] media: rc: check for integer overflow Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 41/79] sctp: Fixup v4mapped behaviour to comply with Sock API Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 02/79] rtc: interface: ignore expired timers when enqueuing new timers Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 27/79] eCryptfs: use after free in ecryptfs_release_messaging() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 05/79] USB: serial: garmin_gps: fix I/O after failed probe and remove Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 09/79] scsi: bfa: integer overflow in debugfs Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 31/79] USB: usbfs: compute urb->actual_length for isochronous Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 22/79] media: omap_vout: Fix a possible null pointer dereference in omap_vout_open() Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 59/79] ALSA: hda: Add Raven PCI ID Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 48/79] nfs: Fix ugly referral attributes Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 33/79] rt2x00usb: mark device removed when get ENOENT usb error Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 39/79] ocfs2: should wait dio before inode lock in ocfs2_setattr() Ben Hutchings
2018-02-11 7:39 ` alex chen
2018-02-11 18:01 ` Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 23/79] mtd: nand: Fix writing mtdoops to nand flash Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 52/79] autofs: fix careless error in recent commit Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 44/79] dm: discard support requires all targets in a table support discards Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 38/79] ocfs2: fix issue that ocfs2_setattr() does not deal with new_i_size==i_size Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 29/79] x86/smp: Don't ever patch back to UP if we unplug cpus Ben Hutchings
2018-02-11 4:20 ` [PATCH 3.2 50/79] autofs4: catatonic_mode vs. notify_daemon race Ben Hutchings
2018-02-11 11:18 ` [PATCH 3.2 00/79] 3.2.99-rc1 review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1518322806.595736709@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=g.nault@alphalink.fr \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox