+++ /dev/null
-From 6e121ef3f53982e168e775c4dececf3a2556c0fb Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 14 Nov 2022 20:16:19 +0100
-Subject: l2tp: Serialize access to sk_user_data with sk_callback_lock
-
-From: Jakub Sitnicki <jakub@cloudflare.com>
-
-[ Upstream commit b68777d54fac21fc833ec26ea1a2a84f975ab035 ]
-
-sk->sk_user_data has multiple users, which are not compatible with each
-other. Writers must synchronize by grabbing the sk->sk_callback_lock.
-
-l2tp currently fails to grab the lock when modifying the underlying tunnel
-socket fields. Fix it by adding appropriate locking.
-
-We err on the side of safety and grab the sk_callback_lock also inside the
-sk_destruct callback overridden by l2tp, even though there should be no
-refs allowing access to the sock at the time when sk_destruct gets called.
-
-v4:
-- serialize write to sk_user_data in l2tp sk_destruct
-
-v3:
-- switch from sock lock to sk_callback_lock
-- document write-protection for sk_user_data
-
-v2:
-- update Fixes to point to origin of the bug
-- use real names in Reported/Tested-by tags
-
-Cc: Tom Parkin <tparkin@katalix.com>
-Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
-Reported-by: Haowei Yan <g1042620637@gmail.com>
-Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/net/sock.h | 2 +-
- net/l2tp/l2tp_core.c | 19 +++++++++++++------
- 2 files changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/include/net/sock.h b/include/net/sock.h
-index 90a8b8b26a20..69bbbe8bbf34 100644
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -315,7 +315,7 @@ struct bpf_local_storage;
- * @sk_tskey: counter to disambiguate concurrent tstamp requests
- * @sk_zckey: counter to order MSG_ZEROCOPY notifications
- * @sk_socket: Identd and reporting IO signals
-- * @sk_user_data: RPC layer private data
-+ * @sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock.
- * @sk_frag: cached page frag
- * @sk_peek_off: current peek_offset value
- * @sk_send_head: front of stuff to transmit
-diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
-index dc8987ed08ad..e89852bc5309 100644
---- a/net/l2tp/l2tp_core.c
-+++ b/net/l2tp/l2tp_core.c
-@@ -1150,8 +1150,10 @@ static void l2tp_tunnel_destruct(struct sock *sk)
- }
-
- /* Remove hooks into tunnel socket */
-+ write_lock_bh(&sk->sk_callback_lock);
- sk->sk_destruct = tunnel->old_sk_destruct;
- sk->sk_user_data = NULL;
-+ write_unlock_bh(&sk->sk_callback_lock);
-
- /* Call the original destructor */
- if (sk->sk_destruct)
-@@ -1471,16 +1473,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
- sock = sockfd_lookup(tunnel->fd, &ret);
- if (!sock)
- goto err;
--
-- ret = l2tp_validate_socket(sock->sk, net, tunnel->encap);
-- if (ret < 0)
-- goto err_sock;
- }
-
-+ sk = sock->sk;
-+ write_lock(&sk->sk_callback_lock);
-+
-+ ret = l2tp_validate_socket(sk, net, tunnel->encap);
-+ if (ret < 0)
-+ goto err_sock;
-+
- tunnel->l2tp_net = net;
- pn = l2tp_pernet(net);
-
-- sk = sock->sk;
- sock_hold(sk);
- tunnel->sock = sk;
-
-@@ -1506,7 +1510,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
-
- setup_udp_tunnel_sock(net, sock, &udp_cfg);
- } else {
-- sk->sk_user_data = tunnel;
-+ rcu_assign_sk_user_data(sk, tunnel);
- }
-
- tunnel->old_sk_destruct = sk->sk_destruct;
-@@ -1520,6 +1524,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
- if (tunnel->fd >= 0)
- sockfd_put(sock);
-
-+ write_unlock(&sk->sk_callback_lock);
- return 0;
-
- err_sock:
-@@ -1527,6 +1532,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
- sock_release(sock);
- else
- sockfd_put(sock);
-+
-+ write_unlock(&sk->sk_callback_lock);
- err:
- return ret;
- }
---
-2.35.1
-
nvme-restrict-management-ioctls-to-admin.patch
nvme-ensure-subsystem-reset-is-single-threaded.patch
net-fix-a-concurrency-bug-in-l2tp_tunnel_register.patch
-l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch
ring-buffer-include-dropped-pages-in-counting-dirty-.patch
usbnet-smsc95xx-fix-deadlock-on-runtime-resume.patch
stddef-introduce-struct_group-helper-macro.patch
+++ /dev/null
-From 66cc0051914a5ae7ce96f56e9cfda4edb8f8fe3f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 14 Nov 2022 20:16:19 +0100
-Subject: l2tp: Serialize access to sk_user_data with sk_callback_lock
-
-From: Jakub Sitnicki <jakub@cloudflare.com>
-
-[ Upstream commit b68777d54fac21fc833ec26ea1a2a84f975ab035 ]
-
-sk->sk_user_data has multiple users, which are not compatible with each
-other. Writers must synchronize by grabbing the sk->sk_callback_lock.
-
-l2tp currently fails to grab the lock when modifying the underlying tunnel
-socket fields. Fix it by adding appropriate locking.
-
-We err on the side of safety and grab the sk_callback_lock also inside the
-sk_destruct callback overridden by l2tp, even though there should be no
-refs allowing access to the sock at the time when sk_destruct gets called.
-
-v4:
-- serialize write to sk_user_data in l2tp sk_destruct
-
-v3:
-- switch from sock lock to sk_callback_lock
-- document write-protection for sk_user_data
-
-v2:
-- update Fixes to point to origin of the bug
-- use real names in Reported/Tested-by tags
-
-Cc: Tom Parkin <tparkin@katalix.com>
-Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
-Reported-by: Haowei Yan <g1042620637@gmail.com>
-Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/net/sock.h | 2 +-
- net/l2tp/l2tp_core.c | 19 +++++++++++++------
- 2 files changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/include/net/sock.h b/include/net/sock.h
-index e1a303e4f0f7..3e9db5146765 100644
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -323,7 +323,7 @@ struct bpf_local_storage;
- * @sk_tskey: counter to disambiguate concurrent tstamp requests
- * @sk_zckey: counter to order MSG_ZEROCOPY notifications
- * @sk_socket: Identd and reporting IO signals
-- * @sk_user_data: RPC layer private data
-+ * @sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock.
- * @sk_frag: cached page frag
- * @sk_peek_off: current peek_offset value
- * @sk_send_head: front of stuff to transmit
-diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
-index 93271a2632b8..c77032638a06 100644
---- a/net/l2tp/l2tp_core.c
-+++ b/net/l2tp/l2tp_core.c
-@@ -1150,8 +1150,10 @@ static void l2tp_tunnel_destruct(struct sock *sk)
- }
-
- /* Remove hooks into tunnel socket */
-+ write_lock_bh(&sk->sk_callback_lock);
- sk->sk_destruct = tunnel->old_sk_destruct;
- sk->sk_user_data = NULL;
-+ write_unlock_bh(&sk->sk_callback_lock);
-
- /* Call the original destructor */
- if (sk->sk_destruct)
-@@ -1471,16 +1473,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
- sock = sockfd_lookup(tunnel->fd, &ret);
- if (!sock)
- goto err;
--
-- ret = l2tp_validate_socket(sock->sk, net, tunnel->encap);
-- if (ret < 0)
-- goto err_sock;
- }
-
-+ sk = sock->sk;
-+ write_lock(&sk->sk_callback_lock);
-+
-+ ret = l2tp_validate_socket(sk, net, tunnel->encap);
-+ if (ret < 0)
-+ goto err_sock;
-+
- tunnel->l2tp_net = net;
- pn = l2tp_pernet(net);
-
-- sk = sock->sk;
- sock_hold(sk);
- tunnel->sock = sk;
-
-@@ -1506,7 +1510,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
-
- setup_udp_tunnel_sock(net, sock, &udp_cfg);
- } else {
-- sk->sk_user_data = tunnel;
-+ rcu_assign_sk_user_data(sk, tunnel);
- }
-
- tunnel->old_sk_destruct = sk->sk_destruct;
-@@ -1520,6 +1524,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
- if (tunnel->fd >= 0)
- sockfd_put(sock);
-
-+ write_unlock(&sk->sk_callback_lock);
- return 0;
-
- err_sock:
-@@ -1527,6 +1532,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
- sock_release(sock);
- else
- sockfd_put(sock);
-+
-+ write_unlock(&sk->sk_callback_lock);
- err:
- return ret;
- }
---
-2.35.1
-
nvme-ensure-subsystem-reset-is-single-threaded.patch
serial-8250_lpss-use-16b-dma-burst-with-elkhart-lake.patch
perf-improve-missing-sigtrap-checking.patch
-l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch
ring-buffer-include-dropped-pages-in-counting-dirty-.patch
tracing-fix-warning-on-variable-struct-trace_array.patch
net-use-struct_group-to-copy-ip-ipv6-header-addresse.patch
+++ /dev/null
-From 1ea60c1db42da0b5b40eb7e9bf8d5937f6f475cc Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 14 Nov 2022 20:16:19 +0100
-Subject: l2tp: Serialize access to sk_user_data with sk_callback_lock
-
-From: Jakub Sitnicki <jakub@cloudflare.com>
-
-[ Upstream commit b68777d54fac21fc833ec26ea1a2a84f975ab035 ]
-
-sk->sk_user_data has multiple users, which are not compatible with each
-other. Writers must synchronize by grabbing the sk->sk_callback_lock.
-
-l2tp currently fails to grab the lock when modifying the underlying tunnel
-socket fields. Fix it by adding appropriate locking.
-
-We err on the side of safety and grab the sk_callback_lock also inside the
-sk_destruct callback overridden by l2tp, even though there should be no
-refs allowing access to the sock at the time when sk_destruct gets called.
-
-v4:
-- serialize write to sk_user_data in l2tp sk_destruct
-
-v3:
-- switch from sock lock to sk_callback_lock
-- document write-protection for sk_user_data
-
-v2:
-- update Fixes to point to origin of the bug
-- use real names in Reported/Tested-by tags
-
-Cc: Tom Parkin <tparkin@katalix.com>
-Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
-Reported-by: Haowei Yan <g1042620637@gmail.com>
-Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/net/sock.h | 2 +-
- net/l2tp/l2tp_core.c | 19 +++++++++++++------
- 2 files changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/include/net/sock.h b/include/net/sock.h
-index f6e6838c82df..03a4ebe3ccc8 100644
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -323,7 +323,7 @@ struct sk_filter;
- * @sk_tskey: counter to disambiguate concurrent tstamp requests
- * @sk_zckey: counter to order MSG_ZEROCOPY notifications
- * @sk_socket: Identd and reporting IO signals
-- * @sk_user_data: RPC layer private data
-+ * @sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock.
- * @sk_frag: cached page frag
- * @sk_peek_off: current peek_offset value
- * @sk_send_head: front of stuff to transmit
-diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
-index 7499c51b1850..754fdda8a5f5 100644
---- a/net/l2tp/l2tp_core.c
-+++ b/net/l2tp/l2tp_core.c
-@@ -1150,8 +1150,10 @@ static void l2tp_tunnel_destruct(struct sock *sk)
- }
-
- /* Remove hooks into tunnel socket */
-+ write_lock_bh(&sk->sk_callback_lock);
- sk->sk_destruct = tunnel->old_sk_destruct;
- sk->sk_user_data = NULL;
-+ write_unlock_bh(&sk->sk_callback_lock);
-
- /* Call the original destructor */
- if (sk->sk_destruct)
-@@ -1469,16 +1471,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
- sock = sockfd_lookup(tunnel->fd, &ret);
- if (!sock)
- goto err;
--
-- ret = l2tp_validate_socket(sock->sk, net, tunnel->encap);
-- if (ret < 0)
-- goto err_sock;
- }
-
-+ sk = sock->sk;
-+ write_lock(&sk->sk_callback_lock);
-+
-+ ret = l2tp_validate_socket(sk, net, tunnel->encap);
-+ if (ret < 0)
-+ goto err_sock;
-+
- tunnel->l2tp_net = net;
- pn = l2tp_pernet(net);
-
-- sk = sock->sk;
- sock_hold(sk);
- tunnel->sock = sk;
-
-@@ -1504,7 +1508,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
-
- setup_udp_tunnel_sock(net, sock, &udp_cfg);
- } else {
-- sk->sk_user_data = tunnel;
-+ rcu_assign_sk_user_data(sk, tunnel);
- }
-
- tunnel->old_sk_destruct = sk->sk_destruct;
-@@ -1518,6 +1522,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
- if (tunnel->fd >= 0)
- sockfd_put(sock);
-
-+ write_unlock(&sk->sk_callback_lock);
- return 0;
-
- err_sock:
-@@ -1525,6 +1530,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
- sock_release(sock);
- else
- sockfd_put(sock);
-+
-+ write_unlock(&sk->sk_callback_lock);
- err:
- return ret;
- }
---
-2.35.1
-
vfio-rename-vfio_ioctl_check_extension.patch
vfio-split-the-register_device-ops-call-into-functio.patch
perf-x86-amd-fix-crash-due-to-race-between-amd_pmu_e.patch
-l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch
ring-buffer-include-dropped-pages-in-counting-dirty-.patch
tracing-fix-warning-on-variable-struct-trace_array.patch
net-usb-smsc95xx-fix-external-phy-reset.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
