unimore/kernel-hacking-2024-linux-steffo
unimore/kernel-hacking-2024-linux-steffo
1
Fork 0
Code Pull requests 5 Wiki Activity
kernel-hacking-2024-linux-s.../net
History
Tom Parkin 80d84ef3ff l2tp: prevent l2tp_tunnel_delete racing with userspace close 
If a tunnel socket is created by userspace, l2tp hooks the socket destructor
in order to clean up resources if userspace closes the socket or crashes.  It
also caches a pointer to the struct sock for use in the data path and in the
netlink interface.

While it is safe to use the cached sock pointer in the data path, where the
skb references keep the socket alive, it is not safe to use it elsewhere as
such access introduces a race with userspace closing the socket.  In
particular, l2tp_tunnel_delete is prone to oopsing if a multithreaded
userspace application closes a socket at the same time as sending a netlink
delete command for the tunnel.

This patch fixes this oops by forcing l2tp_tunnel_delete to explicitly look up
a tunnel socket held by userspace using sockfd_lookup().

Signed-off-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-29 15:43:02 -05:00
..
9p
802
8021q
appletalk
atm atm: use scnprintf() instead of sprintf() 2012-12-17 20:50:51 -08:00
ax25
batman-adv batman-adv: filter ARP packets with invalid MAC addresses in DAT 2013-01-27 14:02:39 +01:00
bluetooth Bluetooth: Check if the hci connection exists in SCO shutdown 2013-01-10 03:53:32 -02:00
bridge bridge: add empty br_mdb_init() and br_mdb_uninit() definitions. 2013-01-03 03:35:22 -08:00
caif caif_usb: Make the driver name check more efficient 2012-12-09 00:34:02 -05:00
can Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-12-13 12:00:02 -08:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2013-01-02 17:32:49 -08:00
core net: net_cls: fd passed in SCM_RIGHTS datagram not set correctly 2013-01-22 14:17:38 -05:00
dcb net: Allow DCBnl to use other namespaces besides init_net 2012-12-10 14:09:01 -05:00
dccp inet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock 2012-12-14 13:14:07 -05:00
decnet
dns_resolver Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2012-12-16 15:40:50 -08:00
dsa
ethernet
ieee802154
ipv4 IP_GRE: Fix kernel panic in IP_GRE with GRE csum. 2013-01-28 00:07:34 -05:00
ipv6 ip6mr: limit IPv6 MRT_TABLE identifiers 2013-01-27 19:31:03 -05:00
ipx
irda TTY/Serial merge for 3.8-rc1 2012-12-11 14:08:47 -08:00
iucv s390/irq: remove split irq fields from /proc/stat 2013-01-08 10:57:07 +01:00
key
l2tp l2tp: prevent l2tp_tunnel_delete racing with userspace close 2013-01-29 15:43:02 -05:00
lapb
llc
mac80211 mac80211: add encrypt headroom to PERR frames 2013-01-16 23:24:51 +01:00
mac802154 mac802154: fix NOHZ local_softirq_pending 08 warning 2013-01-04 13:47:21 -08:00
netfilter netfilter: x_tables: print correct hook names for ARP 2013-01-13 12:54:12 +01:00
netlabel
netlink netlink: validate addr_len on bind 2012-12-17 20:50:51 -08:00
netrom
nfc nfc: remove noisy message from llcp_sock_sendmsg 2012-12-13 12:58:10 -05:00
openvswitch
packet
phonet
rds IB/rds: suppress incompatible protocol when version is known 2012-12-26 15:17:37 -08:00
rfkill Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-12-13 12:00:02 -08:00
rose
rxrpc
sched net: sched: integer overflow fix 2012-12-22 00:03:00 -08:00
sctp SCTP: Free the per-net sysctl table on net exit. v2 2013-01-28 00:09:32 -05:00
sunrpc NFS client bugfixe for Linux 3.8 2013-01-11 12:09:04 -08:00
tipc tipc: refactor accept() code for improved readability 2012-12-07 17:23:24 -05:00
unix
wanrouter
wimax
wireless net, wireless: overwrite default_ethtool_ops 2013-01-11 15:55:48 -08:00
x25
xfrm xfrm: fix freed block size calculation in xfrm_policy_fini() 2013-01-21 06:50:04 +01:00
compat.c
Kconfig
Makefile
nonet.c
socket.c
sysctl_net.c