| Message ID | be5251775c626534633ce7658f6d7da93e7aecd5.1523558015.git.g.nault@alphalink.fr |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
| Series | l2tp: remove unsafe calls to l2tp_tunnel_find_nth() | expand |
From: Guillaume Nault <g.nault@alphalink.fr> Date: Thu, 12 Apr 2018 20:50:33 +0200 > l2tp_tunnel_find_nth() is unsafe: no reference is held on the returned > tunnel, therefore it can be freed whenever the caller uses it. > This patch defines l2tp_tunnel_get_nth() which works similarly, but > also takes a reference on the returned tunnel. The caller then has to > drop it after it stops using the tunnel. > > Convert netlink dumps to make them safe against concurrent tunnel > deletion. > > Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") > Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> During the entire invocation of l2tp_nl_cmd_tunnel_dump(), the RTNL mutex is held. Therefore no tunnel configuration changes may occur and the tunnel object will persist and is safe to access. The netlink dump should be safe as-is. Were you actually able to trigger a crash or KASAN warning or is this purely from code inspection?
On Fri, Apr 13, 2018 at 10:57:03AM -0400, David Miller wrote: > From: Guillaume Nault <g.nault@alphalink.fr> > Date: Thu, 12 Apr 2018 20:50:33 +0200 > > > l2tp_tunnel_find_nth() is unsafe: no reference is held on the returned > > tunnel, therefore it can be freed whenever the caller uses it. > > This patch defines l2tp_tunnel_get_nth() which works similarly, but > > also takes a reference on the returned tunnel. The caller then has to > > drop it after it stops using the tunnel. > > > > Convert netlink dumps to make them safe against concurrent tunnel > > deletion. > > > > Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") > > Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> > > During the entire invocation of l2tp_nl_cmd_tunnel_dump(), the RTNL > mutex is held. > > Therefore no tunnel configuration changes may occur and the tunnel > object will persist and is safe to access. > Yes, but only for updates done with the genl API. For L2TPv2, the tunnel can be created by connecting a PPPOL2TP and a UDP socket. Closing these sockets destroys the tunnel without any RTNL synchronisation. > The netlink dump should be safe as-is. > > Were you actually able to trigger a crash or KASAN warning or is > this purely from code inspection? > Yes, I have a KASAN use-after-free for this case. I remember I saw a few complains about stack traces in commit messages, so I've stopped putting them there. I can paste (stripped) traces again. Just let me know if you have any preference. Guillaume
From: Guillaume Nault <g.nault@alphalink.fr> Date: Fri, 13 Apr 2018 18:09:12 +0200 > On Fri, Apr 13, 2018 at 10:57:03AM -0400, David Miller wrote: >> From: Guillaume Nault <g.nault@alphalink.fr> >> Date: Thu, 12 Apr 2018 20:50:33 +0200 >> >> > l2tp_tunnel_find_nth() is unsafe: no reference is held on the returned >> > tunnel, therefore it can be freed whenever the caller uses it. >> > This patch defines l2tp_tunnel_get_nth() which works similarly, but >> > also takes a reference on the returned tunnel. The caller then has to >> > drop it after it stops using the tunnel. >> > >> > Convert netlink dumps to make them safe against concurrent tunnel >> > deletion. >> > >> > Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") >> > Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> >> >> During the entire invocation of l2tp_nl_cmd_tunnel_dump(), the RTNL >> mutex is held. >> >> Therefore no tunnel configuration changes may occur and the tunnel >> object will persist and is safe to access. >> > Yes, but only for updates done with the genl API. For L2TPv2, the > tunnel can be created by connecting a PPPOL2TP and a UDP socket. > Closing these sockets destroys the tunnel without any RTNL > synchronisation. Right, that's the part I missed. Thanks for explaining.
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index 0fbd3ee26165..c8c4183f0f37 100644 --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -183,6 +183,26 @@ struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id) } EXPORT_SYMBOL_GPL(l2tp_tunnel_get); +struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth) +{ + const struct l2tp_net *pn = l2tp_pernet(net); + struct l2tp_tunnel *tunnel; + int count = 0; + + rcu_read_lock_bh(); + list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { + if (++count > nth) { + l2tp_tunnel_inc_refcount(tunnel); + rcu_read_unlock_bh(); + return tunnel; + } + } + rcu_read_unlock_bh(); + + return NULL; +} +EXPORT_SYMBOL_GPL(l2tp_tunnel_get_nth); + /* Lookup a session. A new reference is held on the returned session. */ struct l2tp_session *l2tp_session_get(const struct net *net, struct l2tp_tunnel *tunnel, diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h index ba33cbec71eb..e4896413b2b6 100644 --- a/net/l2tp/l2tp_core.h +++ b/net/l2tp/l2tp_core.h @@ -212,6 +212,8 @@ static inline void *l2tp_session_priv(struct l2tp_session *session) } struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id); +struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth); + void l2tp_tunnel_free(struct l2tp_tunnel *tunnel); struct l2tp_session *l2tp_session_get(const struct net *net, diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c index b05dbd9ffcb2..6616c9fd292f 100644 --- a/net/l2tp/l2tp_netlink.c +++ b/net/l2tp/l2tp_netlink.c @@ -487,14 +487,17 @@ static int l2tp_nl_cmd_tunnel_dump(struct sk_buff *skb, struct netlink_callback struct net *net = sock_net(skb->sk); for (;;) { - tunnel = l2tp_tunnel_find_nth(net, ti); + tunnel = l2tp_tunnel_get_nth(net, ti); if (tunnel == NULL) goto out; if (l2tp_nl_tunnel_send(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq, NLM_F_MULTI, - tunnel, L2TP_CMD_TUNNEL_GET) < 0) + tunnel, L2TP_CMD_TUNNEL_GET) < 0) { + l2tp_tunnel_dec_refcount(tunnel); goto out; + } + l2tp_tunnel_dec_refcount(tunnel); ti++; } @@ -848,7 +851,7 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback for (;;) { if (tunnel == NULL) { - tunnel = l2tp_tunnel_find_nth(net, ti); + tunnel = l2tp_tunnel_get_nth(net, ti); if (tunnel == NULL) goto out; } @@ -856,6 +859,7 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback session = l2tp_session_get_nth(tunnel, si); if (session == NULL) { ti++; + l2tp_tunnel_dec_refcount(tunnel); tunnel = NULL; si = 0; continue; @@ -865,6 +869,7 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback cb->nlh->nlmsg_seq, NLM_F_MULTI, session, L2TP_CMD_SESSION_GET) < 0) { l2tp_session_dec_refcount(session); + l2tp_tunnel_dec_refcount(tunnel); break; } l2tp_session_dec_refcount(session);
l2tp_tunnel_find_nth() is unsafe: no reference is held on the returned tunnel, therefore it can be freed whenever the caller uses it. This patch defines l2tp_tunnel_get_nth() which works similarly, but also takes a reference on the returned tunnel. The caller then has to drop it after it stops using the tunnel. Convert netlink dumps to make them safe against concurrent tunnel deletion. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> --- net/l2tp/l2tp_core.c | 20 ++++++++++++++++++++ net/l2tp/l2tp_core.h | 2 ++ net/l2tp/l2tp_netlink.c | 11 ++++++++--- 3 files changed, 30 insertions(+), 3 deletions(-)