linux/net/l2tp
Tom Parkin 80d84ef3ff l2tp: prevent l2tp_tunnel_delete racing with userspace close
If a tunnel socket is created by userspace, l2tp hooks the socket destructor
in order to clean up resources if userspace closes the socket or crashes.  It
also caches a pointer to the struct sock for use in the data path and in the
netlink interface.

While it is safe to use the cached sock pointer in the data path, where the
skb references keep the socket alive, it is not safe to use it elsewhere as
such access introduces a race with userspace closing the socket.  In
particular, l2tp_tunnel_delete is prone to oopsing if a multithreaded
userspace application closes a socket at the same time as sending a netlink
delete command for the tunnel.

This patch fixes this oops by forcing l2tp_tunnel_delete to explicitly look up
a tunnel socket held by userspace using sockfd_lookup().

Signed-off-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-29 15:43:02 -05:00
..
Kconfig l2tp: fix compile error when CONFIG_IPV6=m and CONFIG_L2TP=y 2012-09-21 12:06:46 -04:00
l2tp_core.c l2tp: prevent l2tp_tunnel_delete racing with userspace close 2013-01-29 15:43:02 -05:00
l2tp_core.h l2tp: prevent l2tp_tunnel_delete racing with userspace close 2013-01-29 15:43:02 -05:00
l2tp_debugfs.c net: l2tp: Standardize logging styles 2012-05-17 04:34:38 -04:00
l2tp_eth.c l2tp: fix oops in l2tp_eth_create() error path 2012-11-02 21:56:35 -04:00
l2tp_ip.c l2tp: fix a race in l2tp_ip_sendmsg() 2012-06-08 14:30:51 -07:00
l2tp_ip6.c l2tp: fix info leak via getsockname() 2012-08-15 21:36:31 -07:00
l2tp_netlink.c l2tp: session is an array not a pointer 2012-10-26 03:46:41 -04:00
l2tp_ppp.c net: Remove casts to same type 2012-06-04 11:45:11 -04:00
Makefile l2tp: introduce L2TPv3 IP encapsulation support for IPv6 2012-05-01 09:30:55 -04:00