diff options
author | David S. Miller <davem@davemloft.net> | 2018-02-26 20:20:37 +0300 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2018-02-26 20:20:37 +0300 |
commit | 44e524cf8a8c0a8dc3d8256006d57b1d7d59c407 (patch) | |
tree | 8b2d75b2e1b0cdb59300f3cf877fe2de1b619866 /block/blk-core.c | |
parent | 9cb9c07d6b0c5fd97d83b8ab14d7e308ba4b612f (diff) | |
parent | 28f5bfb819195ad9c2eb9486babe7b0e4efe925f (diff) | |
download | linux-44e524cf8a8c0a8dc3d8256006d57b1d7d59c407.tar.xz |
Merge branch 'l2tp-fix-API-races-discovered-by-syzbot'
James Chapman says:
====================
l2tp: fix API races discovered by syzbot
This patch series addresses several races with L2TP APIs discovered by
syzbot. There are no functional changes.
The set of patches 1-5 in combination fix the following syzbot reports.
19c09769f WARNING in debug_print_object
347bd5acd KASAN: use-after-free Read in inet_shutdown
6e6a5ec8d general protection fault in pppol2tp_connect
9df43faf0 KASAN: use-after-free Read in pppol2tp_connect
My first attempts to fix these issues were as net-next patches but
the series included other refactoring and cleanup work. I was asked to
separate out the bugfixes and redo for the net tree, which is what
these patches are.
The changes are:
1. Fix inet_shutdown races when L2TP tunnels and sessions close. (patches 1-2)
2. Fix races with tunnel and its socket. (patch 3)
3. Fix race in pppol2tp_release with session and its socket. (patch 4)
4. Fix tunnel lookup use-after-free. (patch 5)
All of the syzbot reproducers hit races in the tunnel and pppol2tp
session create and destroy paths. These tests create and destroy
pppol2tp tunnels and sessions rapidly using multiple threads,
provoking races in several tunnel/session create/destroy paths. The
key problem was that each tunnel/session socket could be destroyed
while its associated tunnel/session object still existed (patches 3,
4). Patch 5 addresses a problem with the way tunnels are removed from
the tunnel list. Patch 5 is tagged that it addresses all four syzbot
issues, though all 5 patches are needed.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'block/blk-core.c')
0 files changed, 0 insertions, 0 deletions