git.baikalelectronics.ru Git - kernel.git/commit

author	Jakub Sitnicki <jakub@cloudflare.com>
	Mon, 14 Nov 2022 19:16:19 +0000 (20:16 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 6 Feb 2023 06:52:37 +0000 (07:52 +0100)
commit	262e021cd4a1add658ba335ef8a051a003ea750b
tree	4a3832feb46c97600781d795135726b8f050c4a7	tree \| snapshot
parent	ed471b84ec0fd49b040cdb00345543f6d4644167	commit \| diff

l2tp: Serialize access to sk_user_data with sk_callback_lock

[ Upstream commit 6e77507cc06bb2f9eea08a8e1a5d8d28c0a4ec6c ]

sk->sk_user_data has multiple users, which are not compatible with each
other. Writers must synchronize by grabbing the sk->sk_callback_lock.

l2tp currently fails to grab the lock when modifying the underlying tunnel
socket fields. Fix it by adding appropriate locking.

We err on the side of safety and grab the sk_callback_lock also inside the
sk_destruct callback overridden by l2tp, even though there should be no
refs allowing access to the sock at the time when sk_destruct gets called.

v4:
- serialize write to sk_user_data in l2tp sk_destruct

v3:
- switch from sock lock to sk_callback_lock
- document write-protection for sk_user_data

v2:
- update Fixes to point to origin of the bug
- use real names in Reported/Tested-by tags

Cc: Tom Parkin <tparkin@katalix.com>
Fixes: 72ecdb28cfd7 ("[L2TP]: PPP over L2TP driver core")
Reported-by: Haowei Yan <g1042620637@gmail.com>
Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>

include/net/sock.h		diff \| blob \| history
net/l2tp/l2tp_core.c		diff \| blob \| history