lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f2fdb53a-4727-278d-ac1b-d6dbdac8d307@I-love.SAKURA.ne.jp>
Date:   Tue, 22 Nov 2022 18:48:46 +0900
From:   Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To:     Jakub Sitnicki <jakub@...udflare.com>
Cc:     netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        Tom Parkin <tparkin@...alix.com>,
        syzbot+703d9e154b3b58277261@...kaller.appspotmail.com,
        syzbot+50680ced9e98a61f7698@...kaller.appspotmail.com,
        syzbot+de987172bb74a381879b@...kaller.appspotmail.com
Subject: Re: [PATCH net] l2tp: Don't sleep and disable BH under writer-side
 sk_callback_lock

On 2022/11/22 6:55, Jakub Sitnicki wrote:
> First, let me say, that I get the impression that setup_udp_tunnel_sock
> was not really meant to be used on pre-existing sockets created by
> user-space. Even though l2tp and gtp seem to be doing that.
> 
> That is because, I don't see how it could be used properly. Given that
> we need to check-and-set sk_user_data under sk_callback_lock, which
> setup_udp_tunnel_sock doesn't grab itself. At the same time it might
> sleep. There is no way to apply it without resorting to tricks, like we
> did here.
> 
> So - yeah - there may be other problems. But if there are, they are not
> related to the faulty commit b68777d54fac ("l2tp: Serialize access to
> sk_user_data with sk_callback_lock"), which we're trying to fix. There
> was no locking present in l2tp_tunnel_register before that point.

https://syzkaller.appspot.com/bug?extid=94cc2a66fc228b23f360 is the one
where changing lockdep class is concurrently done on pre-existing sockets.

I think we need to always create a new socket inside l2tp_tunnel_register(),
rather than trying to serialize setting of sk_user_data under sk_callback_lock.

> However, that is also not related to the race to check-and-set
> sk_user_data, which commit b68777d54fac is trying to fix.

Therefore, I feel that reverting commit b68777d54fac "l2tp: Serialize access
to sk_user_data with sk_callback_lock" might be the better choice.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ