lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Nov 2022 11:57:29 +0100 From: Jakub Sitnicki <jakub@...udflare.com> To: Eric Dumazet <edumazet@...gle.com> Cc: patchwork-bot+netdevbpf@...nel.org, netdev@...r.kernel.org, davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, tparkin@...alix.com, g1042620637@...il.com Subject: Re: [PATCH net v4] l2tp: Serialize access to sk_user_data with sk_callback_lock On Fri, Nov 18, 2022 at 02:28 AM -08, Eric Dumazet wrote: > On Thu, Nov 17, 2022 at 1:57 AM Jakub Sitnicki <jakub@...udflare.com> wrote: >> >> On Thu, Nov 17, 2022 at 01:40 AM -08, Eric Dumazet wrote: >> > On Thu, Nov 17, 2022 at 1:07 AM Eric Dumazet <edumazet@...gle.com> wrote: >> >> >> >> On Wed, Nov 16, 2022 at 5:30 AM <patchwork-bot+netdevbpf@...nel.org> wrote: >> >> > >> >> > Hello: >> >> > >> >> > This patch was applied to netdev/net.git (master) >> >> > by David S. Miller <davem@...emloft.net>: >> >> > >> >> > On Mon, 14 Nov 2022 20:16:19 +0100 you wrote: >> >> > > sk->sk_user_data has multiple users, which are not compatible with each >> >> > > other. Writers must synchronize by grabbing the sk->sk_callback_lock. >> >> > > >> >> > > l2tp currently fails to grab the lock when modifying the underlying tunnel >> >> > > socket fields. Fix it by adding appropriate locking. >> >> > > >> >> > > We err on the side of safety and grab the sk_callback_lock also inside the >> >> > > sk_destruct callback overridden by l2tp, even though there should be no >> >> > > refs allowing access to the sock at the time when sk_destruct gets called. >> >> > > >> >> > > [...] >> >> > >> >> > Here is the summary with links: >> >> > - [net,v4] l2tp: Serialize access to sk_user_data with sk_callback_lock >> >> > https://git.kernel.org/netdev/net/c/b68777d54fac >> >> > >> >> > >> >> >> >> I guess this patch has not been tested with LOCKDEP, right ? >> >> >> >> sk_callback_lock always needs _bh safety. >> >> >> >> I will send something like: >> >> >> >> diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c >> >> index 754fdda8a5f52e4e8e2c0f47331c3b22765033d0..a3b06a3cf68248f5ec7ae8be2a9711d0f482ac36 >> >> 100644 >> >> --- a/net/l2tp/l2tp_core.c >> >> +++ b/net/l2tp/l2tp_core.c >> >> @@ -1474,7 +1474,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel >> >> *tunnel, struct net *net, >> >> } >> >> >> >> sk = sock->sk; >> >> - write_lock(&sk->sk_callback_lock); >> >> + write_lock_bh(&sk->sk_callback_lock); >> > >> > Unfortunately this might still not work, because >> > setup_udp_tunnel_sock->udp_encap_enable() probably could sleep in >> > static_branch_inc() ? >> > >> > I will release the syzbot report, and let you folks work on a fix, thanks. >> >> Ah, the problem is with pppol2tp_connect racing with itself. Thanks for >> the syzbot report. I will take a look. I live for debugging deadlocks >> :-) > > Hi Jakub, any updates on this issue ? (Other syzbot reports with the > same root cause are piling up) > > Thanks Sorry, I don't have anything yet. I have reserved time to work on it this afternoon (I'm in the CET timezone). Alternatively, I can send a revert right away and come back with fixed patch once I have that, if you prefer.
Powered by blists - more mailing lists