[net,0/5] l2tp: fix API races discovered by syzbot

Message ID	1519407947-14861-1-git-send-email-jchapman@katalix.com
Headers	show Return-Path: <netdev-owner@vger.kernel.org> sender: james) by mail.katalix.com (Postfix) with ESMTPSA id 052BF85E2B for <netdev@vger.kernel.org>; Fri, 23 Feb 2018 17:45:54 +0000 (GMT) From: James Chapman <jchapman@katalix.com> To: netdev@vger.kernel.org Subject: [PATCH net 0/5] l2tp: fix API races discovered by syzbot Date: Fri, 23 Feb 2018 17:45:42 +0000 Message-Id: <1519407947-14861-1-git-send-email-jchapman@katalix.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk
Series	l2tp: fix API races discovered by syzbot \| expand [net,0/5] l2tp: fix API races discovered by syzbot [net,1/5] l2tp: don't use inet_shutdown on tunnel destroy [net,2/5] l2tp: don't use inet_shutdown on ppp session destroy [net,3/5] l2tp: fix races with tunnel socket close [net,4/5] l2tp: fix race in pppol2tp_release with session object destroy [net,5/5] l2tp: fix tunnel lookup use-after-free race

Message ID

1519407947-14861-1-git-send-email-jchapman@katalix.com

Headers

From: James Chapman <jchapman@katalix.com>
To: netdev@vger.kernel.org
Subject: [PATCH net 0/5] l2tp: fix API races discovered by syzbot
Date: Fri, 23 Feb 2018 17:45:42 +0000
Message-Id: <1519407947-14861-1-git-send-email-jchapman@katalix.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Series

l2tp: fix API races discovered by syzbot | expand

Message

James Chapman Feb. 23, 2018, 5:45 p.m. UTC

This patch series addresses several races with L2TP APIs discovered by
syzbot. There are no functional changes.

The set of patches 1-5 in combination fix the following syzbot reports.

19c09769f WARNING in debug_print_object
347bd5acd KASAN: use-after-free Read in inet_shutdown
6e6a5ec8d general protection fault in pppol2tp_connect
9df43faf0 KASAN: use-after-free Read in pppol2tp_connect

My first attempts to fix these issues were as net-next patches but
the series included other refactoring and cleanup work. I was asked to
separate out the bugfixes and redo for the net tree, which is what
these patches are.

The changes are:

 1. Fix inet_shutdown races when L2TP tunnels and sessions close. (patches 1-2)
 2. Fix races with tunnel and its socket. (patch 3)
 3. Fix race in pppol2tp_release with session and its socket. (patch 4)
 4. Fix tunnel lookup use-after-free. (patch 5)

All of the syzbot reproducers hit races in the tunnel and pppol2tp
session create and destroy paths. These tests create and destroy
pppol2tp tunnels and sessions rapidly using multiple threads,
provoking races in several tunnel/session create/destroy paths. The
key problem was that each tunnel/session socket could be destroyed
while its associated tunnel/session object still existed (patches 3,
4). Patch 5 addresses a problem with the way tunnels are removed from
the tunnel list. Patch 5 is tagged that it addresses all four syzbot
issues, though all 5 patches are needed.

James Chapman (5):
  l2tp: don't use inet_shutdown on tunnel destroy
  l2tp: don't use inet_shutdown on ppp session destroy
  l2tp: fix races with tunnel socket close
  l2tp: fix race in pppol2tp_release with session object destroy
  l2tp: fix tunnel lookup use-after-free race

 net/l2tp/l2tp_core.c | 142 ++++++++++++++++-----------------------------------
 net/l2tp/l2tp_core.h |  23 +--------
 net/l2tp/l2tp_ip.c   |  10 ++--
 net/l2tp/l2tp_ip6.c  |   8 ++-
 net/l2tp/l2tp_ppp.c  |  60 ++++++++++------------
 5 files changed, 77 insertions(+), 166 deletions(-)

--

Comments

David Miller Feb. 26, 2018, 5:21 p.m. UTC | #1

From: James Chapman <jchapman@katalix.com>
Date: Fri, 23 Feb 2018 17:45:42 +0000

> This patch series addresses several races with L2TP APIs discovered by
> syzbot. There are no functional changes.

Series applied and queued up for -stable, thanks!