From patchwork Fri Aug 25 14:22:17 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guillaume Nault <g.nault@alphalink.fr>
X-Patchwork-Id: 805890
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3xf3Jy2CF1z9sNv
	for <patchwork-incoming@ozlabs.org>;
	Sat, 26 Aug 2017 00:22:26 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932574AbdHYOWW (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 25 Aug 2017 10:22:22 -0400
Received: from zimbra.alphalink.fr ([217.15.80.77]:50613 "EHLO
	zimbra.alphalink.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932562AbdHYOWV (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 25 Aug 2017 10:22:21 -0400
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	F386A2B5206F; Fri, 25 Aug 2017 16:22:19 +0200 (CEST)
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10032)
	with ESMTP id e54D0ape9IED; Fri, 25 Aug 2017 16:22:18 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	4B48D2B5214B; Fri, 25 Aug 2017 16:22:18 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mail-2-cbv2.admin.alphalink.fr
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10026)
	with ESMTP id daOG4yFB_OPQ; Fri, 25 Aug 2017 16:22:18 +0200 (CEST)
Received: from c-dev-0.admin.alphalink.fr (94-84-15-217.reverse.alphalink.fr
	[217.15.84.94])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	276892B52097; Fri, 25 Aug 2017 16:22:18 +0200 (CEST)
Received: by c-dev-0.admin.alphalink.fr (Postfix, from userid 1000)
	id 0833D6024C; Fri, 25 Aug 2017 16:22:17 +0200 (CEST)
Date: Fri, 25 Aug 2017 16:22:17 +0200
From: Guillaume Nault <g.nault@alphalink.fr>
To: netdev@vger.kernel.org
Cc: James Chapman <jchapman@katalix.com>, David Miller <davem@davemloft.net>
Subject: [PATCH net] l2tp: initialise session's refcount before making it
	reachable
Message-ID: 
 <f37a31f7fbfa4c02c4a263672f86eac4e80be272.1503670839.git.g.nault@alphalink.fr>
MIME-Version: 1.0
Content-Disposition: inline
X-Mutt-Fcc: =Sent
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Sessions must be fully initialised before calling
l2tp_session_add_to_tunnel(). Otherwise, there's a short time frame
where partially initialised sessions can be accessed by external users.

Fixes: dbdbc73b4478 ("l2tp: fix duplicate session creation")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
---
 net/l2tp/l2tp_core.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index b0c2d4ae781d..f363669eae47 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1844,6 +1844,8 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
 
 		l2tp_session_set_header_len(session, tunnel->version);
 
+		refcount_set(&session->ref_count, 1);
+
 		err = l2tp_session_add_to_tunnel(tunnel, session);
 		if (err) {
 			kfree(session);
@@ -1851,10 +1853,6 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
 			return ERR_PTR(err);
 		}
 
-		/* Bump the reference count. The session context is deleted
-		 * only when this drops to zero.
-		 */
-		refcount_set(&session->ref_count, 1);
 		l2tp_tunnel_inc_refcount(tunnel);
 
 		/* Ensure tunnel socket isn't deleted */