linux/net
Tom Parkin 80d84ef3ff l2tp: prevent l2tp_tunnel_delete racing with userspace close
If a tunnel socket is created by userspace, l2tp hooks the socket destructor
in order to clean up resources if userspace closes the socket or crashes.  It
also caches a pointer to the struct sock for use in the data path and in the
netlink interface.

While it is safe to use the cached sock pointer in the data path, where the
skb references keep the socket alive, it is not safe to use it elsewhere as
such access introduces a race with userspace closing the socket.  In
particular, l2tp_tunnel_delete is prone to oopsing if a multithreaded
userspace application closes a socket at the same time as sending a netlink
delete command for the tunnel.

This patch fixes this oops by forcing l2tp_tunnel_delete to explicitly look up
a tunnel socket held by userspace using sockfd_lookup().

Signed-off-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-29 15:43:02 -05:00
..
9p virtio: 9p: correctly pass physical address to userspace for high pages 2012-10-22 18:19:36 +10:30
802
8021q 8021q: fix vlan device to inherit the unicast filtering capability flag 2012-11-30 12:07:27 -05:00
appletalk
atm atm: use scnprintf() instead of sprintf() 2012-12-17 20:50:51 -08:00
ax25
batman-adv batman-adv: filter ARP packets with invalid MAC addresses in DAT 2013-01-27 14:02:39 +01:00
bluetooth Bluetooth: Check if the hci connection exists in SCO shutdown 2013-01-10 03:53:32 -02:00
bridge bridge: add empty br_mdb_init() and br_mdb_uninit() definitions. 2013-01-03 03:35:22 -08:00
caif caif_usb: Make the driver name check more efficient 2012-12-09 00:34:02 -05:00
can Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-12-13 12:00:02 -08:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2013-01-02 17:32:49 -08:00
core net: net_cls: fd passed in SCM_RIGHTS datagram not set correctly 2013-01-22 14:17:38 -05:00
dcb net: Allow DCBnl to use other namespaces besides init_net 2012-12-10 14:09:01 -05:00
dccp inet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock 2012-12-14 13:14:07 -05:00
decnet net: Push capable(CAP_NET_ADMIN) into the rtnl methods 2012-11-18 20:32:44 -05:00
dns_resolver Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2012-12-16 15:40:50 -08:00
dsa dsa: Hide core config options; make drivers select what they need 2012-11-26 17:10:44 -05:00
ethernet
ieee802154 6lowpan: consider checksum bytes in fragmentation threshold 2012-11-30 12:19:24 -05:00
ipv4 IP_GRE: Fix kernel panic in IP_GRE with GRE csum. 2013-01-28 00:07:34 -05:00
ipv6 ip6mr: limit IPv6 MRT_TABLE identifiers 2013-01-27 19:31:03 -05:00
ipx
irda TTY/Serial merge for 3.8-rc1 2012-12-11 14:08:47 -08:00
iucv s390/irq: remove split irq fields from /proc/stat 2013-01-08 10:57:07 +01:00
key net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm 2012-11-18 20:32:45 -05:00
l2tp l2tp: prevent l2tp_tunnel_delete racing with userspace close 2013-01-29 15:43:02 -05:00
lapb
llc net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm 2012-11-18 20:32:45 -05:00
mac80211 mac80211: add encrypt headroom to PERR frames 2013-01-16 23:24:51 +01:00
mac802154 mac802154: fix NOHZ local_softirq_pending 08 warning 2013-01-04 13:47:21 -08:00
netfilter netfilter: x_tables: print correct hook names for ARP 2013-01-13 12:54:12 +01:00
netlabel Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-10-02 13:38:27 -07:00
netlink netlink: validate addr_len on bind 2012-12-17 20:50:51 -08:00
netrom net: change return values from -EACCES to -EPERM 2012-09-21 13:58:08 -04:00
nfc nfc: remove noisy message from llcp_sock_sendmsg 2012-12-13 12:58:10 -05:00
openvswitch openvswitch: Use RCU callback when detaching netdevices. 2012-11-28 14:04:34 -08:00
packet net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm 2012-11-18 20:32:45 -05:00
phonet net: Push capable(CAP_NET_ADMIN) into the rtnl methods 2012-11-18 20:32:44 -05:00
rds IB/rds: suppress incompatible protocol when version is known 2012-12-26 15:17:37 -08:00
rfkill Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-12-13 12:00:02 -08:00
rose
rxrpc Merge branch 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux 2012-10-14 13:39:34 -07:00
sched net: sched: integer overflow fix 2012-12-22 00:03:00 -08:00
sctp SCTP: Free the per-net sysctl table on net exit. v2 2013-01-28 00:09:32 -05:00
sunrpc NFS client bugfixe for Linux 3.8 2013-01-11 12:09:04 -08:00
tipc tipc: refactor accept() code for improved readability 2012-12-07 17:23:24 -05:00
unix net: Don't export sysctls to unprivileged users 2012-11-18 20:30:55 -05:00
wanrouter
wimax
wireless net, wireless: overwrite default_ethtool_ops 2013-01-11 15:55:48 -08:00
x25
xfrm xfrm: fix freed block size calculation in xfrm_policy_fini() 2013-01-21 06:50:04 +01:00
compat.c make get_file() return its argument 2012-09-26 21:10:25 -04:00
Kconfig
Makefile ipv6: Preserve ipv6 functionality needed by NET 2012-11-18 02:34:00 -05:00
nonet.c
socket.c cgroup: net_cls: Rework update socket logic 2012-10-26 03:40:51 -04:00
sysctl_net.c user_ns: get rid of duplicate code in net_ctl_permissions 2012-11-18 20:32:45 -05:00