Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f6cd651b authored by Guillaume Nault's avatar Guillaume Nault Committed by David S. Miller
Browse files

l2tp: fix race in duplicate tunnel detection 



We can't use l2tp_tunnel_find() to prevent l2tp_nl_cmd_tunnel_create()
from creating a duplicate tunnel. A tunnel can be concurrently
registered after l2tp_tunnel_find() returns. Therefore, searching for
duplicates must be done at registration time.

Finally, remove l2tp_tunnel_find() entirely as it isn't use anywhere
anymore.

Fixes: 309795f4 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 6b9f3423

net/l2tp/l2tp_core.c

+14 −21
Original line number Diff line number Diff line
@@ -335,26 +335,6 @@ int l2tp_session_register(struct l2tp_session *session, 
}

EXPORT_SYMBOL_GPL(l2tp_session_register);



/* Lookup a tunnel by id

 */

struct l2tp_tunnel *l2tp_tunnel_find(const struct net *net, u32 tunnel_id)

{

	struct l2tp_tunnel *tunnel;

	struct l2tp_net *pn = l2tp_pernet(net);



	rcu_read_lock_bh();

	list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {

		if (tunnel->tunnel_id == tunnel_id) {

			rcu_read_unlock_bh();

			return tunnel;

		}

	}

	rcu_read_unlock_bh();



	return NULL;

}

EXPORT_SYMBOL_GPL(l2tp_tunnel_find);



struct l2tp_tunnel *l2tp_tunnel_find_nth(const struct net *net, int nth)

{

	struct l2tp_net *pn = l2tp_pernet(net);
@@ -1501,6 +1481,7 @@ static int l2tp_validate_socket(const struct sock *sk, const struct net *net, 
int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,

			 struct l2tp_tunnel_cfg *cfg)

{

	struct l2tp_tunnel *tunnel_walk;

	struct l2tp_net *pn;

	struct socket *sock;

	struct sock *sk;
@@ -1529,7 +1510,16 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, 
	tunnel->l2tp_net = net;



	pn = l2tp_pernet(net);



	spin_lock_bh(&pn->l2tp_tunnel_list_lock);

	list_for_each_entry(tunnel_walk, &pn->l2tp_tunnel_list, list) {

		if (tunnel_walk->tunnel_id == tunnel->tunnel_id) {

			spin_unlock_bh(&pn->l2tp_tunnel_list_lock);



			ret = -EEXIST;

			goto err_sock;

		}

	}

	list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);

	spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
@@ -1558,6 +1548,9 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, 
	return 0;



err_sock:

	if (tunnel->fd < 0)

		sock_release(sock);

	else

		sockfd_put(sock);

err:

	return ret;

net/l2tp/l2tp_core.h

+0 −1
Original line number Diff line number Diff line
@@ -220,7 +220,6 @@ struct l2tp_session *l2tp_session_get(const struct net *net, 
struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth);

struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,

						const char *ifname);

struct l2tp_tunnel *l2tp_tunnel_find(const struct net *net, u32 tunnel_id);

struct l2tp_tunnel *l2tp_tunnel_find_nth(const struct net *net, int nth);



int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id,

net/l2tp/l2tp_netlink.c

+0 −6
Original line number Diff line number Diff line
@@ -236,12 +236,6 @@ static int l2tp_nl_cmd_tunnel_create(struct sk_buff *skb, struct genl_info *info 
	if (info->attrs[L2TP_ATTR_DEBUG])

		cfg.debug = nla_get_u32(info->attrs[L2TP_ATTR_DEBUG]);



	tunnel = l2tp_tunnel_find(net, tunnel_id);

	if (tunnel != NULL) {

		ret = -EEXIST;

		goto out;

	}



	ret = -EINVAL;

	switch (cfg.encap) {

	case L2TP_ENCAPTYPE_UDP: