mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/net
History
Cong Wang cef0845b6d l2tp: close all race conditions in l2tp_tunnel_register() 
[ Upstream commit 0b2c59720e ]

The code in l2tp_tunnel_register() is racy in several ways:

1. It modifies the tunnel socket _after_ publishing it.

2. It calls setup_udp_tunnel_sock() on an existing socket without
   locking.

3. It changes sock lock class on fly, which triggers many syzbot
   reports.

This patch amends all of them by moving socket initialization code
before publishing and under sock lock. As suggested by Jakub, the
l2tp lockdep class is not necessary as we can just switch to
bh_lock_sock_nested().

Fixes: 37159ef2c1 ("l2tp: fix a lockdep splat")
Fixes: 6b9f34239b ("l2tp: fix races in tunnel creation")
Reported-by: syzbot+52866e24647f9a23403f@syzkaller.appspotmail.com
Reported-by: syzbot+94cc2a66fc228b23f360@syzkaller.appspotmail.com
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Guillaume Nault <gnault@redhat.com>
Cc: Jakub Sitnicki <jakub@cloudflare.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Tom Parkin <tparkin@katalix.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2023-02-01 08:34:19 +01:00
..
6lowpan
9p 9p/client: fix data race on req->status 2023-01-12 12:02:36 +01:00
802 mrp: introduce active flags to prevent UAF when applicant uninit 2022-12-31 13:33:02 +01:00
8021q
appletalk
atm net/atm: fix proc_mpc_write incorrect return value 2022-10-15 11:08:36 +01:00
ax25
batman-adv
bluetooth Bluetooth: hci_sync: Fix use HCI_OP_LE_READ_BUFFER_SIZE_V2 2023-01-24 07:24:32 +01:00
bpf bpf: Move skb->len == 0 checks into __bpf_redirect 2022-12-31 13:32:14 +01:00
bpfilter
bridge bridge: switchdev: Fix memory leaks when changing VLAN protocol 2022-11-15 13:38:11 +01:00
caif caif: fix memory leak in cfctrl_linkup_request() 2023-01-12 12:02:33 +01:00
can can: af_can: fix NULL pointer dereference in can_rcv_filter 2022-12-07 10:30:47 +01:00
ceph Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
core gro: take care of DODGY packets 2023-01-18 11:58:26 +01:00
dcb
dccp dccp/tcp: Fixup bhash2 bucket when connect() fails. 2022-11-22 20:15:37 -08:00
dns_resolver
dsa net: dsa: tag_8021q: avoid leaking ctx on dsa_tag_8021q_register() error path 2022-12-31 13:32:29 +01:00
ethernet
ethtool net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats 2023-01-24 07:24:31 +01:00
hsr hsr: Synchronize sequence number updates. 2022-12-31 13:32:22 +01:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-10-07 09:29:17 +02:00
ife
ipv4 net/ulp: use consistent error code when blocking ULP 2023-01-24 07:24:43 +01:00
ipv6 ipv6: raw: Deduct extension header length in rawv6_push_pending_frames 2023-01-18 11:58:19 +01:00
iucv
kcm kcm: close race conditions on sk_receive_queue 2022-11-15 12:42:26 +01:00
key xfrm: Fix oops in __xfrm_state_delete() 2022-11-22 07:14:55 +01:00
l2tp l2tp: close all race conditions in l2tp_tunnel_register() 2023-02-01 08:34:19 +01:00
l3mdev
lapb
llc
mac80211 Revert "wifi: mac80211: fix memory leak in ieee80211_if_add()" 2023-01-24 07:24:44 +01:00
mac802154 mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() 2022-12-05 09:53:08 +01:00
mctp mctp: Remove device type check at unregister 2022-12-31 13:32:56 +01:00
mpls
mptcp mptcp: netlink: respect v4/v6-only sockets 2023-01-24 07:24:37 +01:00
ncsi
netfilter netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. 2023-01-18 11:58:21 +01:00
netlabel
netlink genetlink: limit the use of validation workarounds to old ops 2022-10-27 08:20:21 -07:00
netrom
nfc net: nfc: Fix use-after-free in local_cleanup() 2023-02-01 08:34:17 +01:00
nsh
openvswitch openvswitch: Use kmalloc_size_roundup() to match ksize() usage 2022-12-31 13:32:59 +01:00
packet packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE 2022-11-29 08:30:18 -08:00
phonet
psample
qrtr
rds treewide: use get_random_{u8,u16}() when possible, part 2 2022-10-11 17:42:58 -06:00
rfkill
rose rose: Fix NULL pointer dereference in rose_send_frame() 2022-11-02 11:57:30 +00:00
rxrpc rxrpc: Fix missing unlock in rxrpc_do_sendmsg() 2022-12-31 13:32:55 +01:00
sched net/sched: sch_taprio: fix possible use-after-free 2023-02-01 08:34:19 +01:00
sctp sctp: sysctl: make extra pointers netns aware 2022-12-31 13:32:28 +01:00
smc net/smc: Fix possible leaked pernet namespace in smc_init() 2022-11-02 20:42:09 -07:00
strparser
sunrpc Revert "SUNRPC: Use RMW bitops in single-threaded hot paths" 2023-01-14 10:33:42 +01:00
switchdev
tipc tipc: fix unexpected link reset due to discovery messages 2023-01-18 11:58:24 +01:00
tls bpf, sockmap: Fix missing BPF_F_INGRESS flag when using apply_bytes 2022-12-31 13:32:20 +01:00
unix unix: Fix race in SOCK_SEQPACKET's unix_dgram_sendmsg() 2022-12-31 13:32:54 +01:00
vmw_vsock net: vmw_vsock: vmci: Check memcpy_from_msg() 2022-12-31 13:32:26 +01:00
wireless wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails 2022-12-31 13:32:20 +01:00
x25 net/x25: Fix skb leak in x25_lapb_receive_frame() 2022-11-15 20:22:19 -08:00
xdp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2022-11-23 19:18:59 -08:00
Kconfig
Kconfig.debug
Makefile
compat.c
devres.c
socket.c d_path pile 2022-10-06 16:55:41 -07:00
sysctl_net.c