From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
"David S . Miller" <davem@davemloft.net>,
Giuliano Procida <gprocida@google.com>
Subject: [PATCH 10/22] l2tp: initialise session's refcount before making it reachable
Date: Thu, 21 May 2020 15:40:48 +0100 [thread overview]
Message-ID: <20200521144100.128936-11-gprocida@google.com> (raw)
In-Reply-To: <20200521144100.128936-1-gprocida@google.com>
From: Guillaume Nault <g.nault@alphalink.fr>
commit 9ee369a405c57613d7c83a3967780c3e30c52ecc uptream.
Sessions must be fully initialised before calling
l2tp_session_add_to_tunnel(). Otherwise, there's a short time frame
where partially initialised sessions can be accessed by external users.
Backporting Notes
l2tp_core.c: moving code that had been converted from atomic to
refcount_t by an earlier change (which isn't being included in this
patch series).
Fixes: dbdbc73b4478 ("l2tp: fix duplicate session creation")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
net/l2tp/l2tp_core.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index a9d4d42e2ef6..7f72957405b8 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1847,6 +1847,8 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
l2tp_session_set_header_len(session, tunnel->version);
+ l2tp_session_inc_refcount(session);
+
err = l2tp_session_add_to_tunnel(tunnel, session);
if (err) {
kfree(session);
@@ -1854,10 +1856,6 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
return ERR_PTR(err);
}
- /* Bump the reference count. The session context is deleted
- * only when this drops to zero.
- */
- l2tp_session_inc_refcount(session);
l2tp_tunnel_inc_refcount(tunnel);
/* Ensure tunnel socket isn't deleted */
--
2.26.2.761.g0e0b3e54be-goog
next prev parent reply other threads:[~2020-05-21 14:41 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-21 14:40 [PATCH 00/22] l2tp locking and ordering fixes Giuliano Procida
2020-05-21 14:40 ` [PATCH 01/22] net: l2tp: export debug flags to UAPI Giuliano Procida
2020-05-21 14:40 ` [PATCH 02/22] net: l2tp: deprecate PPPOL2TP_MSG_* in favour of L2TP_MSG_* Giuliano Procida
2020-05-21 14:40 ` [PATCH 03/22] net: l2tp: ppp: change PPPOL2TP_MSG_* => L2TP_MSG_* Giuliano Procida
2020-05-21 14:40 ` [PATCH 04/22] New kernel function to get IP overhead on a socket Giuliano Procida
2020-05-21 14:40 ` [PATCH 05/22] L2TP:Adjust intf MTU, add underlay L3, L2 hdrs Giuliano Procida
2020-05-21 14:40 ` [PATCH 06/22] l2tp: remove useless duplicate session detection in l2tp_netlink Giuliano Procida
2020-05-21 14:40 ` [PATCH 07/22] l2tp: remove l2tp_session_find() Giuliano Procida
2020-05-21 14:40 ` [PATCH 08/22] l2tp: define parameters of l2tp_session_get*() as "const" Giuliano Procida
2020-05-21 14:40 ` [PATCH 09/22] l2tp: define parameters of l2tp_tunnel_find*() " Giuliano Procida
2020-05-21 14:40 ` Giuliano Procida [this message]
2020-05-21 14:40 ` [PATCH 11/22] l2tp: hold tunnel while looking up sessions in l2tp_netlink Giuliano Procida
2020-05-21 14:40 ` [PATCH 12/22] l2tp: hold tunnel while processing genl delete command Giuliano Procida
2020-05-21 14:40 ` [PATCH 13/22] l2tp: hold tunnel while handling genl tunnel updates Giuliano Procida
2020-05-21 14:40 ` [PATCH 14/22] l2tp: hold tunnel while handling genl TUNNEL_GET commands Giuliano Procida
2020-05-21 14:40 ` [PATCH 15/22] l2tp: hold tunnel used while creating sessions with netlink Giuliano Procida
2020-05-21 14:40 ` [PATCH 16/22] l2tp: prevent creation of sessions on terminated tunnels Giuliano Procida
2020-05-21 14:40 ` [PATCH 17/22] l2tp: pass tunnel pointer to ->session_create() Giuliano Procida
2020-05-21 14:40 ` [PATCH 18/22] l2tp: fix l2tp_eth module loading Giuliano Procida
2020-05-21 14:40 ` [PATCH 19/22] l2tp: don't register sessions in l2tp_session_create() Giuliano Procida
2020-05-21 14:40 ` [PATCH 20/22] l2tp: initialise l2tp_eth sessions before registering them Giuliano Procida
2020-05-21 14:40 ` [PATCH 21/22] l2tp: protect sock pointer of struct pppol2tp_session with RCU Giuliano Procida
2020-05-21 14:41 ` [PATCH 22/22] l2tp: initialise PPP sessions before registering them Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 00/22] l2tp locking and ordering fixes Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 01/22] net: l2tp: export debug flags to UAPI Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 02/22] net: l2tp: deprecate PPPOL2TP_MSG_* in favour of L2TP_MSG_* Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 03/22] net: l2tp: ppp: change PPPOL2TP_MSG_* => L2TP_MSG_* Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 04/22] New kernel function to get IP overhead on a socket Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 05/22] L2TP:Adjust intf MTU, add underlay L3, L2 hdrs Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 06/22] l2tp: remove useless duplicate session detection in l2tp_netlink Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 07/22] l2tp: remove l2tp_session_find() Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 08/22] l2tp: define parameters of l2tp_session_get*() as "const" Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 09/22] l2tp: define parameters of l2tp_tunnel_find*() " Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 10/22] l2tp: initialise session's refcount before making it reachable Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 11/22] l2tp: hold tunnel while looking up sessions in l2tp_netlink Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 12/22] l2tp: hold tunnel while processing genl delete command Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 13/22] l2tp: hold tunnel while handling genl tunnel updates Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 14/22] l2tp: hold tunnel while handling genl TUNNEL_GET commands Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 15/22] l2tp: hold tunnel used while creating sessions with netlink Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 16/22] l2tp: prevent creation of sessions on terminated tunnels Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 17/22] l2tp: pass tunnel pointer to ->session_create() Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 18/22] l2tp: fix l2tp_eth module loading Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 19/22] l2tp: don't register sessions in l2tp_session_create() Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 20/22] l2tp: initialise l2tp_eth sessions before registering them Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 21/22] l2tp: protect sock pointer of struct pppol2tp_session with RCU Giuliano Procida
2020-05-21 23:39 ` [PATCH v2 22/22] l2tp: initialise PPP sessions before registering them Giuliano Procida
2020-05-22 12:15 ` [PATCH v2 00/22] l2tp locking and ordering fixes Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200521144100.128936-11-gprocida@google.com \
--to=gprocida@google.com \
--cc=davem@davemloft.net \
--cc=g.nault@alphalink.fr \
--cc=greg@kroah.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).