[net-next,v2,05/16] l2tp: use tunnel closing flag

Message ID	1518430280-16671-6-git-send-email-jchapman@katalix.com
State	Changes Requested, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> sender: james) by mail.katalix.com (Postfix) with ESMTPSA id BB24BADED1; Mon, 12 Feb 2018 10:11:22 +0000 (GMT) From: James Chapman <jchapman@katalix.com> To: netdev@vger.kernel.org Cc: kbuild-all@01.org Subject: [PATCH net-next v2 05/16] l2tp: use tunnel closing flag Date: Mon, 12 Feb 2018 10:11:09 +0000 Message-Id: <1518430280-16671-6-git-send-email-jchapman@katalix.com> In-Reply-To: <1518430280-16671-1-git-send-email-jchapman@katalix.com> References: <1518430280-16671-1-git-send-email-jchapman@katalix.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk
Series	l2tp: fix API races discovered by syzbot \| expand [net-next,v2,00/16] l2tp: fix API races discovered by syzbot [net-next,v2,01/16] l2tp: update sk_user_data while holding sk_callback_lock [net-next,v2,02/16] l2tp: add RCU read lock to protect tunnel ptr in ip socket destroy [net-next,v2,03/16] l2tp: don't use inet_shutdown on tunnel destroy [net-next,v2,04/16] l2tp: refactor tunnel lifetime handling wrt its socket [net-next,v2,05/16] l2tp: use tunnel closing flag [net-next,v2,06/16] l2tp: refactor session lifetime handling [net-next,v2,07/16] l2tp: hide sessions if they are closing [net-next,v2,08/16] l2tp: hide session from pppol2tp_sock_to_session if it is closing [net-next,v2,09/16] l2tp: refactor pppol2tp_connect [net-next,v2,10/16] l2tp: add session_free callback [net-next,v2,11/16] l2tp: do session destroy using a workqueue [net-next,v2,12/16] l2tp: simplify l2tp_tunnel_closeall [net-next,v2,13/16] l2tp: refactor ppp session cleanup paths [net-next,v2,14/16] l2tp: remove redundant sk_user_data check when creating tunnels [net-next,v2,15/16] l2tp: remove unwanted error message [net-next,v2,16/16] l2tp: make __l2tp_session_unhash internal

Message ID

1518430280-16671-6-git-send-email-jchapman@katalix.com

State

Changes Requested, archived

Delegated to:

David Miller

Headers

From: James Chapman <jchapman@katalix.com>
To: netdev@vger.kernel.org
Cc: kbuild-all@01.org
Subject: [PATCH net-next v2 05/16] l2tp: use tunnel closing flag
Date: Mon, 12 Feb 2018 10:11:09 +0000
Message-Id: <1518430280-16671-6-git-send-email-jchapman@katalix.com>
In-Reply-To: <1518430280-16671-1-git-send-email-jchapman@katalix.com>
References: <1518430280-16671-1-git-send-email-jchapman@katalix.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Series

l2tp: fix API races discovered by syzbot | expand

Commit Message

James Chapman Feb. 12, 2018, 10:11 a.m. UTC

The tunnel's closing flag is set when the tunnel is being
destroyed. Use it to reject new sessions and remove acpt_newsess which
was doing the same thing. Also prevent the tunnel being seen in
l2tp_tunnel_get lookups.
---
 net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++------
 net/l2tp/l2tp_core.h |  4 ----
 2 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 49d6e06099ec..691fe9368d91 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -163,6 +163,13 @@  struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
 	rcu_read_lock_bh();
 	list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
 		if (tunnel->tunnel_id == tunnel_id) {
+			spin_lock_bh(&tunnel->lock);
+			if (tunnel->closing) {
+				spin_unlock_bh(&tunnel->lock);
+				rcu_read_unlock_bh();
+				return NULL;
+			}
+			spin_unlock_bh(&tunnel->lock);
 			l2tp_tunnel_inc_refcount(tunnel);
 			rcu_read_unlock_bh();
 
@@ -278,13 +285,16 @@  int l2tp_session_register(struct l2tp_session *session,
 	struct l2tp_net *pn;
 	int err;
 
+	spin_lock_bh(&tunnel->lock);
+	if (tunnel->closing) {
+		spin_unlock_bh(&tunnel->lock);
+		return -ENODEV;
+	}
+	spin_unlock_bh(&tunnel->lock);
+
 	head = l2tp_session_id_hash(tunnel, session->session_id);
 
 	write_lock_bh(&tunnel->hlist_lock);
-	if (!tunnel->acpt_newsess) {
-		err = -ENODEV;
-		goto err_tlock;
-	}
 
 	hlist_for_each_entry(session_walk, head, hlist)
 		if (session_walk->session_id == session->session_id) {
@@ -1220,7 +1230,6 @@  void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
 		  tunnel->name);
 
 	write_lock_bh(&tunnel->hlist_lock);
-	tunnel->acpt_newsess = false;
 	for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
 again:
 		hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
@@ -1506,7 +1515,6 @@  int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
 	sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
 	spin_lock_init(&tunnel->lock);
 	rwlock_init(&tunnel->hlist_lock);
-	tunnel->acpt_newsess = true;
 
 	/* The net we belong to */
 	tunnel->l2tp_net = net;
@@ -1710,6 +1718,13 @@  struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
 {
 	struct l2tp_session *session;
 
+	spin_lock_bh(&tunnel->lock);
+	if (tunnel->closing) {
+		spin_unlock_bh(&tunnel->lock);
+		return ERR_PTR(-ENODEV);
+	}
+	spin_unlock_bh(&tunnel->lock);
+
 	session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
 	if (session != NULL) {
 		session->magic = L2TP_SESSION_MAGIC;
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index e88ff7895ccb..4e098c822cd1 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -160,10 +160,6 @@  struct l2tp_tunnel {
 
 	struct rcu_head rcu;
 	rwlock_t		hlist_lock;	/* protect session_hlist */
-	bool			acpt_newsess;	/* Indicates whether this
-						 * tunnel accepts new sessions.
-						 * Protected by hlist_lock.
-						 */
 	struct hlist_head	session_hlist[L2TP_HASH_SIZE];
 						/* hashed list of sessions,
 						 * hashed by id */

[net-next,v2,05/16] l2tp: use tunnel closing flag

Commit Message

Patch