Merge branch 'l2tp-register-sessions-atomically'

Guillaume Nault says: ==================== l2tp: register sessions atomically Currently l2tp_session_create() allocates a session, partially initialises it and finally registers it. It therefore exposes sessions that aren't fully initialised to the rest of the system, because pseudo-wire specific initialisation can only happen after l2tp_session_create() returns. This leads to several crashes when these sessions are used or deleted. This series starts by splitting session registration out of l2tp_session_create() (patch #1). Thus allowing pseudo-wires code to terminate the initialisation phase before registration. Then patch #2 fixes the eth pseudo-wire code. This requires protecting the session's netdevice pointer with RCU, because it still needs to be updated concurrently after the session got registered. Remaining patches take care of ppp pseudo-wires. RCU protection is needed there too, for the same reasons. This time it's the pppol2tp socket pointer that gets protected. For clarity, and since the conversion requires more modifications, introducing RCU is done in its own patch (#3). Then patch #4 only has to take care of fixing sessions initialisation and registration (and adapting part of the deletion process). ==================== Signed-off-by: David S. Miller <davem@davemloft.net>

Merge branch 'l2tp-register-sessions-atomically'
Guillaume Nault says: ==================== l2tp: register sessions atomically Currently l2tp_session_create() allocates a session, partially initialises it and finally registers it. It therefore exposes sessions that aren't fully initialised to the rest of the system, because pseudo-wire specific initialisation can only happen after l2tp_session_create() returns. This leads to several crashes when these sessions are used or deleted. This series starts by splitting session registration out of l2tp_session_create() (patch #1). Thus allowing pseudo-wires code to terminate the initialisation phase before registration. Then patch #2 fixes the eth pseudo-wire code. This requires protecting the session's netdevice pointer with RCU, because it still needs to be updated concurrently after the session got registered. Remaining patches take care of ppp pseudo-wires. RCU protection is needed there too, for the same reasons. This time it's the pppol2tp socket pointer that gets protected. For clarity, and since the conversion requires more modifications, introducing RCU is done in its own patch (#3). Then patch #4 only has to take care of fixing sessions initialisation and registration (and adapting part of the deletion process). ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
05ce8bd4 · David S. Miller · 949cf8b1 · f98be6c6 · 05ce8bd4 · 05ce8bd4
Commit 05ce8bd4 authored Oct 29, 2017 by David S. Miller
Showing with 238 additions and 123 deletions

net/l2tp/l2tp_core.c net/l2tp/l2tp_core.c +7 -14

net/l2tp/l2tp_core.h net/l2tp/l2tp_core.h +3 -0

net/l2tp/l2tp_eth.c net/l2tp/l2tp_eth.c +76 -23

net/l2tp/l2tp_ppp.c net/l2tp/l2tp_ppp.c +152 -86

No files found.
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -322,8 +322,8 @@ struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
 }
 EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);

-static int l2tp_session_add_to_tunnel(struct l2tp_tunnel *tunnel,
-				      struct l2tp_session *session)
+int l2tp_session_register(struct l2tp_session *session,
+			  struct l2tp_tunnel *tunnel)
 {
 	struct l2tp_session *session_walk;
 	struct hlist_head *g_head;
@@ -371,6 +371,10 @@ static int l2tp_session_add_to_tunnel(struct l2tp_tunnel *tunnel,
 	hlist_add_head(&session->hlist, head);
 	write_unlock_bh(&tunnel->hlist_lock);

+	/* Ignore management session in session count value */
+	if (session->session_id != 0)
+		atomic_inc(&l2tp_session_count);
+
 	return 0;

 err_tlock_pnlock:
@@ -380,6 +384,7 @@ static int l2tp_session_add_to_tunnel(struct l2tp_tunnel *tunnel,

 	return err;
 }
+EXPORT_SYMBOL_GPL(l2tp_session_register);

 /* Lookup a tunnel by id
 */
@@ -1788,7 +1793,6 @@ EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
 {
 	struct l2tp_session *session;
-	int err;

 	session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
 	if (session != NULL) {
@@ -1846,17 +1850,6 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn

 		refcount_set(&session->ref_count, 1);

-		err = l2tp_session_add_to_tunnel(tunnel, session);
-		if (err) {
-			kfree(session);
-
-			return ERR_PTR(err);
-		}
-
-		/* Ignore management session in session count value */
-		if (session->session_id != 0)
-			atomic_inc(&l2tp_session_count);
-
 		return session;
 	}


--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -263,6 +263,9 @@ struct l2tp_session *l2tp_session_create(int priv_size,
 					 struct l2tp_tunnel *tunnel,
 					 u32 session_id, u32 peer_session_id,
 					 struct l2tp_session_cfg *cfg);
+int l2tp_session_register(struct l2tp_session *session,
+			  struct l2tp_tunnel *tunnel);
+
 void __l2tp_session_unhash(struct l2tp_session *session);
 int l2tp_session_delete(struct l2tp_session *session);
 void l2tp_session_free(struct l2tp_session *session);

--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -54,7 +54,7 @@ struct l2tp_eth {

 /* via l2tp_session_priv() */
 struct l2tp_eth_sess {
-	struct net_device	*dev;
+	struct net_device __rcu *dev;
 };


@@ -72,7 +72,14 @@ static int l2tp_eth_dev_init(struct net_device *dev)

 static void l2tp_eth_dev_uninit(struct net_device *dev)
 {
-	dev_put(dev);
+	struct l2tp_eth *priv = netdev_priv(dev);
+	struct l2tp_eth_sess *spriv;
+
+	spriv = l2tp_session_priv(priv->session);
+	RCU_INIT_POINTER(spriv->dev, NULL);
+	/* No need for synchronize_net() here. We're called by
+	 * unregister_netdev*(), which does the synchronisation for us.
+	 */
 }

 static int l2tp_eth_dev_xmit(struct sk_buff *skb, struct net_device *dev)
@@ -130,8 +137,8 @@ static void l2tp_eth_dev_setup(struct net_device *dev)
 static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb, int data_len)
 {
 	struct l2tp_eth_sess *spriv = l2tp_session_priv(session);
-	struct net_device *dev = spriv->dev;
-	struct l2tp_eth *priv = netdev_priv(dev);
+	struct net_device *dev;
+	struct l2tp_eth *priv;

 	if (session->debug & L2TP_MSG_DATA) {
 		unsigned int length;
@@ -155,16 +162,25 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
 	skb_dst_drop(skb);
 	nf_reset(skb);

+	rcu_read_lock();
+	dev = rcu_dereference(spriv->dev);
+	if (!dev)
+		goto error_rcu;
+
+	priv = netdev_priv(dev);
 	if (dev_forward_skb(dev, skb) == NET_RX_SUCCESS) {
 		atomic_long_inc(&priv->rx_packets);
 		atomic_long_add(data_len, &priv->rx_bytes);
 	} else {
 		atomic_long_inc(&priv->rx_errors);
 	}
+	rcu_read_unlock();
+
 	return;

+error_rcu:
+	rcu_read_unlock();
 error:
-	atomic_long_inc(&priv->rx_errors);
 	kfree_skb(skb);
 }

@@ -175,11 +191,15 @@ static void l2tp_eth_delete(struct l2tp_session *session)

 	if (session) {
 		spriv = l2tp_session_priv(session);
-		dev = spriv->dev;
+
+		rtnl_lock();
+		dev = rtnl_dereference(spriv->dev);
 		if (dev) {
-			unregister_netdev(dev);
-			spriv->dev = NULL;
+			unregister_netdevice(dev);
+			rtnl_unlock();
 			module_put(THIS_MODULE);
+		} else {
+			rtnl_unlock();
 		}
 	}
 }
@@ -189,9 +209,20 @@ static void l2tp_eth_show(struct seq_file *m, void *arg)
 {
 	struct l2tp_session *session = arg;
 	struct l2tp_eth_sess *spriv = l2tp_session_priv(session);
-	struct net_device *dev = spriv->dev;
+	struct net_device *dev;
+
+	rcu_read_lock();
+	dev = rcu_dereference(spriv->dev);
+	if (!dev) {
+		rcu_read_unlock();
+		return;
+	}
+	dev_hold(dev);
+	rcu_read_unlock();

 	seq_printf(m, "   interface %s\n", dev->name);
+
+	dev_put(dev);
 }
 #endif

@@ -268,14 +299,14 @@ static int l2tp_eth_create(struct net *net, struct l2tp_tunnel *tunnel,
 				      peer_session_id, cfg);
 	if (IS_ERR(session)) {
 		rc = PTR_ERR(session);
-		goto out;
+		goto err;
 	}

 	dev = alloc_netdev(sizeof(*priv), name, name_assign_type,
 			   l2tp_eth_dev_setup);
 	if (!dev) {
 		rc = -ENOMEM;
-		goto out_del_session;
+		goto err_sess;
 	}

 	dev_net_set(dev, net);
@@ -295,26 +326,48 @@ static int l2tp_eth_create(struct net *net, struct l2tp_tunnel *tunnel,
 #endif

 	spriv = l2tp_session_priv(session);
-	spriv->dev = dev;

-	rc = register_netdev(dev);
-	if (rc < 0)
-		goto out_del_dev;
+	l2tp_session_inc_refcount(session);
+
+	rtnl_lock();
+
+	/* Register both device and session while holding the rtnl lock. This
+	 * ensures that l2tp_eth_delete() will see that there's a device to
+	 * unregister, even if it happened to run before we assign spriv->dev.
+	 */
+	rc = l2tp_session_register(session, tunnel);
+	if (rc < 0) {
+		rtnl_unlock();
+		goto err_sess_dev;
+	}
+
+	rc = register_netdevice(dev);
+	if (rc < 0) {
+		rtnl_unlock();
+		l2tp_session_delete(session);
+		l2tp_session_dec_refcount(session);
+		free_netdev(dev);
+
+		return rc;
+	}

-	__module_get(THIS_MODULE);
-	/* Must be done after register_netdev() */
 	strlcpy(session->ifname, dev->name, IFNAMSIZ);
+	rcu_assign_pointer(spriv->dev, dev);

-	dev_hold(dev);
+	rtnl_unlock();
+
+	l2tp_session_dec_refcount(session);
+
+	__module_get(THIS_MODULE);

 	return 0;

-out_del_dev:
+err_sess_dev:
+	l2tp_session_dec_refcount(session);
 	free_netdev(dev);
-	spriv->dev = NULL;
-out_del_session:
-	l2tp_session_delete(session);
-out:
+err_sess:
+	kfree(session);
+err:
 	return rc;
 }


--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c