l2tp: hold reference on tunnels in netlink dumps
commit 5846c131c39b6d0add36ec19dc8650700690f930 upstream.
l2tp_tunnel_find_nth() is unsafe: no reference is held on the returned
tunnel, therefore it can be freed whenever the caller uses it.
This patch defines l2tp_tunnel_get_nth() which works similarly, but
also takes a reference on the returned tunnel. The caller then has to
drop it after it stops using the tunnel.
Convert netlink dumps to make them safe against concurrent tunnel
deletion.
Fixes: 309795f4be
("l2tp: Add netlink control API for L2TP")
Change-Id: If625d89d841fa7e37794415dca0e0122374e8d60
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
This commit is contained in:
parent
6dfb6c988a
commit
104fe54350
|
@ -224,6 +224,26 @@ struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
|
EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
|
||||||
|
|
||||||
|
struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth)
|
||||||
|
{
|
||||||
|
const struct l2tp_net *pn = l2tp_pernet(net);
|
||||||
|
struct l2tp_tunnel *tunnel;
|
||||||
|
int count = 0;
|
||||||
|
|
||||||
|
rcu_read_lock_bh();
|
||||||
|
list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
|
||||||
|
if (++count > nth) {
|
||||||
|
l2tp_tunnel_inc_refcount(tunnel);
|
||||||
|
rcu_read_unlock_bh();
|
||||||
|
return tunnel;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
rcu_read_unlock_bh();
|
||||||
|
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL_GPL(l2tp_tunnel_get_nth);
|
||||||
|
|
||||||
/* Like l2tp_session_find() but takes a reference on the returned session.
|
/* Like l2tp_session_find() but takes a reference on the returned session.
|
||||||
* Optionally calls session->ref() too if do_ref is true.
|
* Optionally calls session->ref() too if do_ref is true.
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -223,6 +223,8 @@ static inline void *l2tp_session_priv(struct l2tp_session *session)
|
||||||
}
|
}
|
||||||
|
|
||||||
struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id);
|
struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id);
|
||||||
|
struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth);
|
||||||
|
|
||||||
void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
|
void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
|
||||||
|
|
||||||
struct l2tp_session *l2tp_session_get(const struct net *net,
|
struct l2tp_session *l2tp_session_get(const struct net *net,
|
||||||
|
|
|
@ -384,14 +384,17 @@ static int l2tp_nl_cmd_tunnel_dump(struct sk_buff *skb, struct netlink_callback
|
||||||
struct net *net = sock_net(skb->sk);
|
struct net *net = sock_net(skb->sk);
|
||||||
|
|
||||||
for (;;) {
|
for (;;) {
|
||||||
tunnel = l2tp_tunnel_find_nth(net, ti);
|
tunnel = l2tp_tunnel_get_nth(net, ti);
|
||||||
if (tunnel == NULL)
|
if (tunnel == NULL)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
if (l2tp_nl_tunnel_send(skb, NETLINK_CB(cb->skb).portid,
|
if (l2tp_nl_tunnel_send(skb, NETLINK_CB(cb->skb).portid,
|
||||||
cb->nlh->nlmsg_seq, NLM_F_MULTI,
|
cb->nlh->nlmsg_seq, NLM_F_MULTI,
|
||||||
tunnel) <= 0)
|
tunnel) <= 0) {
|
||||||
|
l2tp_tunnel_dec_refcount(tunnel);
|
||||||
goto out;
|
goto out;
|
||||||
|
}
|
||||||
|
l2tp_tunnel_dec_refcount(tunnel);
|
||||||
|
|
||||||
ti++;
|
ti++;
|
||||||
}
|
}
|
||||||
|
@ -739,7 +742,7 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback
|
||||||
|
|
||||||
for (;;) {
|
for (;;) {
|
||||||
if (tunnel == NULL) {
|
if (tunnel == NULL) {
|
||||||
tunnel = l2tp_tunnel_find_nth(net, ti);
|
tunnel = l2tp_tunnel_get_nth(net, ti);
|
||||||
if (tunnel == NULL)
|
if (tunnel == NULL)
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
@ -747,6 +750,7 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback
|
||||||
session = l2tp_session_get_nth(tunnel, si, false);
|
session = l2tp_session_get_nth(tunnel, si, false);
|
||||||
if (session == NULL) {
|
if (session == NULL) {
|
||||||
ti++;
|
ti++;
|
||||||
|
l2tp_tunnel_dec_refcount(tunnel);
|
||||||
tunnel = NULL;
|
tunnel = NULL;
|
||||||
si = 0;
|
si = 0;
|
||||||
continue;
|
continue;
|
||||||
|
@ -756,6 +760,7 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback
|
||||||
cb->nlh->nlmsg_seq, NLM_F_MULTI,
|
cb->nlh->nlmsg_seq, NLM_F_MULTI,
|
||||||
session) <= 0) {
|
session) <= 0) {
|
||||||
l2tp_session_dec_refcount(session);
|
l2tp_session_dec_refcount(session);
|
||||||
|
l2tp_tunnel_dec_refcount(tunnel);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
l2tp_session_dec_refcount(session);
|
l2tp_session_dec_refcount(session);
|
||||||
|
|
Loading…
Reference in New Issue