Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1769192a authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

l2tp: fix potential rcu race 



While trying to remove useless synchronize_rcu() calls, I found l2tp is
indeed incorrectly using two of such calls, but also bumps tunnel
refcount after list insertion.

tunnel refcount must be incremented before being made publically visible
by rcu readers.

This fix can be applied to 2.6.35+ and might need a backport for older
kernels, since things were shuffled in commit fd558d18
(l2tp: Split pppol2tp patch into separate l2tp and ppp parts)

Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
CC: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
CC: James Chapman <jchapman@katalix.com>
Reviewed-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 3c709f8f

net/l2tp/l2tp_core.c

+4 −6
Original line number Diff line number Diff line
@@ -1435,16 +1435,15 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 


	/* Add tunnel to our list */

	INIT_LIST_HEAD(&tunnel->list);

	spin_lock_bh(&pn->l2tp_tunnel_list_lock);

	list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);

	spin_unlock_bh(&pn->l2tp_tunnel_list_lock);

	synchronize_rcu();

	atomic_inc(&l2tp_tunnel_count);



	/* Bump the reference count. The tunnel context is deleted

	 * only when this drops to zero.

	 * only when this drops to zero. Must be done before list insertion

	 */

	l2tp_tunnel_inc_refcount(tunnel);

	spin_lock_bh(&pn->l2tp_tunnel_list_lock);

	list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);

	spin_unlock_bh(&pn->l2tp_tunnel_list_lock);



	err = 0;

err:
@@ -1636,7 +1635,6 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn 
			hlist_add_head_rcu(&session->global_hlist,

					   l2tp_session_id_hash_2(pn, session_id));

			spin_unlock_bh(&pn->l2tp_session_hlist_lock);

			synchronize_rcu();

		}



		/* Ignore management session in session count value */