{"id":817513,"url":"http://patchwork.ozlabs.org/api/patches/817513/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/patch/11b04a711e0c263d3d7626961cd211464360d314.1506086081.git.g.nault@alphalink.fr/","project":{"id":7,"url":"http://patchwork.ozlabs.org/api/projects/7/?format=json","name":"Linux network development","link_name":"netdev","list_id":"netdev.vger.kernel.org","list_email":"netdev@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<11b04a711e0c263d3d7626961cd211464360d314.1506086081.git.g.nault@alphalink.fr>","list_archive_url":null,"date":"2017-09-22T13:39:24","name":"[net,2/2] l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall()","commit_ref":null,"pull_url":null,"state":"accepted","archived":true,"hash":"2fe3bce4a142926e2a4041a0ab0ba4eb615525fc","submitter":{"id":22975,"url":"http://patchwork.ozlabs.org/api/people/22975/?format=json","name":"Guillaume Nault","email":"g.nault@alphalink.fr"},"delegate":{"id":34,"url":"http://patchwork.ozlabs.org/api/users/34/?format=json","username":"davem","first_name":"David","last_name":"Miller","email":"davem@davemloft.net"},"mbox":"http://patchwork.ozlabs.org/project/netdev/patch/11b04a711e0c263d3d7626961cd211464360d314.1506086081.git.g.nault@alphalink.fr/mbox/","series":[{"id":4627,"url":"http://patchwork.ozlabs.org/api/series/4627/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/list/?series=4627","date":"2017-09-22T13:39:22","name":"l2tp: fix some races in session deletion","version":1,"mbox":"http://patchwork.ozlabs.org/series/4627/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/817513/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/817513/checks/","tags":{},"related":[],"headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xzF2h69qDz9s06\n\tfor <patchwork-incoming@ozlabs.org>;\n\tFri, 22 Sep 2017 23:39:40 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1752376AbdIVNje (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tFri, 22 Sep 2017 09:39:34 -0400","from zimbra.alphalink.fr ([217.15.80.77]:52471 \"EHLO\n\tzimbra.alphalink.fr\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1752340AbdIVNjc (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Fri, 22 Sep 2017 09:39:32 -0400","from localhost (localhost [127.0.0.1])\n\tby mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id\n\tA27432B5206F; Fri, 22 Sep 2017 15:39:31 +0200 (CEST)","from zimbra.alphalink.fr ([127.0.0.1])\n\tby localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])\n\t(amavisd-new, port 10032)\n\twith ESMTP id IY2cYXijsnPW; Fri, 22 Sep 2017 15:39:24 +0200 (CEST)","from localhost (localhost [127.0.0.1])\n\tby mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id\n\tD5D462B5212C; Fri, 22 Sep 2017 15:39:24 +0200 (CEST)","from zimbra.alphalink.fr ([127.0.0.1])\n\tby localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])\n\t(amavisd-new, port 10026)\n\twith ESMTP id 7mNNWR1AH840; Fri, 22 Sep 2017 15:39:24 +0200 (CEST)","from c-dev-0.admin.alphalink.fr (94-84-15-217.reverse.alphalink.fr\n\t[217.15.84.94])\n\tby mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id\n\tAD5CA2B52057; Fri, 22 Sep 2017 15:39:24 +0200 (CEST)","by c-dev-0.admin.alphalink.fr (Postfix, from userid 1000)\n\tid 92A3660179; Fri, 22 Sep 2017 15:39:24 +0200 (CEST)"],"X-Virus-Scanned":"amavisd-new at mail-2-cbv2.admin.alphalink.fr","Date":"Fri, 22 Sep 2017 15:39:24 +0200","From":"Guillaume Nault <g.nault@alphalink.fr>","To":"netdev@vger.kernel.org","Cc":"James Chapman <jchapman@katalix.com>, Tom Parkin <tparkin@katalix.com>,\n\tSabrina Dubroca <sd@queasysnail.net>","Subject":"[PATCH net 2/2] l2tp: fix race between l2tp_session_delete() and\n\tl2tp_tunnel_closeall()","Message-ID":"<11b04a711e0c263d3d7626961cd211464360d314.1506086081.git.g.nault@alphalink.fr>","References":"<cover.1506086081.git.g.nault@alphalink.fr>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<cover.1506086081.git.g.nault@alphalink.fr>","X-Mutt-Fcc":"=Sent","User-Agent":"NeoMutt/20170609 (1.8.3)","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"},"content":"There are several ways to remove L2TP sessions:\n\n  * deleting a session explicitly using the netlink interface (with\n    L2TP_CMD_SESSION_DELETE),\n  * deleting the session's parent tunnel (either by closing the\n    tunnel's file descriptor or using the netlink interface),\n  * closing the PPPOL2TP file descriptor of a PPP pseudo-wire.\n\nIn some cases, when these methods are used concurrently on the same\nsession, the session can be removed twice, leading to use-after-free\nbugs.\n\nThis patch adds a 'dead' flag, used by l2tp_session_delete() and\nl2tp_tunnel_closeall() to prevent them from stepping on each other's\ntoes.\n\nThe session deletion path used when closing a PPPOL2TP file descriptor\ndoesn't need to be adapted. It already has to ensure that a session\nremains valid for the lifetime of its PPPOL2TP file descriptor.\nSo it takes an extra reference on the session in the ->session_close()\ncallback (pppol2tp_session_close()), which is eventually dropped\nin the ->sk_destruct() callback of the PPPOL2TP socket\n(pppol2tp_session_destruct()).\nStill, __l2tp_session_unhash() and l2tp_session_queue_purge() can be\ncalled twice and even concurrently for a given session, but thanks to\nproper locking and re-initialisation of list fields, this is not an\nissue.\n\nSigned-off-by: Guillaume Nault <g.nault@alphalink.fr>\n---\n net/l2tp/l2tp_core.c | 6 ++++++\n net/l2tp/l2tp_core.h | 1 +\n 2 files changed, 7 insertions(+)","diff":"diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c\nindex ee485df73ccd..d8c2a89a76e1 100644\n--- a/net/l2tp/l2tp_core.c\n+++ b/net/l2tp/l2tp_core.c\n@@ -1314,6 +1314,9 @@ void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)\n \n \t\t\thlist_del_init(&session->hlist);\n \n+\t\t\tif (test_and_set_bit(0, &session->dead))\n+\t\t\t\tgoto again;\n+\n \t\t\tif (session->ref != NULL)\n \t\t\t\t(*session->ref)(session);\n \n@@ -1750,6 +1753,9 @@ EXPORT_SYMBOL_GPL(__l2tp_session_unhash);\n  */\n int l2tp_session_delete(struct l2tp_session *session)\n {\n+\tif (test_and_set_bit(0, &session->dead))\n+\t\treturn 0;\n+\n \tif (session->ref)\n \t\t(*session->ref)(session);\n \t__l2tp_session_unhash(session);\ndiff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h\nindex a305e0c5925a..70a12df40a5f 100644\n--- a/net/l2tp/l2tp_core.h\n+++ b/net/l2tp/l2tp_core.h\n@@ -76,6 +76,7 @@ struct l2tp_session_cfg {\n struct l2tp_session {\n \tint\t\t\tmagic;\t\t/* should be\n \t\t\t\t\t\t * L2TP_SESSION_MAGIC */\n+\tlong\t\t\tdead;\n \n \tstruct l2tp_tunnel\t*tunnel;\t/* back pointer to tunnel\n \t\t\t\t\t\t * context */\n","prefixes":["net","2/2"]}