Skip to content

Commit 5d06676

Browse files
j-c-hPaolo Abeni
j-c-h
authored and
Paolo Abeni
committed
net/l2tp: fix warning in l2tp_exit_net found by syzbot
In l2tp's net exit handler, we check that an IDR is empty before destroying it: WARN_ON_ONCE(!idr_is_empty(&pn->l2tp_tunnel_idr)); idr_destroy(&pn->l2tp_tunnel_idr); By forcing memory allocation failures in idr_alloc_32, syzbot is able to provoke a condition where idr_is_empty returns false despite there being no items in the IDR. This turns out to be because the radix tree of the IDR contains only internal radix-tree nodes and it is this that causes idr_is_empty to return false. The internal nodes are cleaned by idr_destroy. Use idr_for_each to check that the IDR is empty instead of idr_is_empty to avoid the problem. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=332fe1e67018625f63c9 Fixes: 73d33bd ("l2tp: avoid using drain_workqueue in l2tp_pre_exit_net") Signed-off-by: James Chapman <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Paolo Abeni <[email protected]>
1 parent 9bb88c6 commit 5d06676

File tree

1 file changed

+19
-3
lines changed

1 file changed

+19
-3
lines changed

net/l2tp/l2tp_core.c

Lines changed: 19 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1870,15 +1870,31 @@ static __net_exit void l2tp_pre_exit_net(struct net *net)
18701870
}
18711871
}
18721872

1873+
static int l2tp_idr_item_unexpected(int id, void *p, void *data)
1874+
{
1875+
const char *idr_name = data;
1876+
1877+
pr_err("l2tp: %s IDR not empty at net %d exit\n", idr_name, id);
1878+
WARN_ON_ONCE(1);
1879+
return 1;
1880+
}
1881+
18731882
static __net_exit void l2tp_exit_net(struct net *net)
18741883
{
18751884
struct l2tp_net *pn = l2tp_pernet(net);
18761885

1877-
WARN_ON_ONCE(!idr_is_empty(&pn->l2tp_v2_session_idr));
1886+
/* Our per-net IDRs should be empty. Check that is so, to
1887+
* help catch cleanup races or refcnt leaks.
1888+
*/
1889+
idr_for_each(&pn->l2tp_v2_session_idr, l2tp_idr_item_unexpected,
1890+
"v2_session");
1891+
idr_for_each(&pn->l2tp_v3_session_idr, l2tp_idr_item_unexpected,
1892+
"v3_session");
1893+
idr_for_each(&pn->l2tp_tunnel_idr, l2tp_idr_item_unexpected,
1894+
"tunnel");
1895+
18781896
idr_destroy(&pn->l2tp_v2_session_idr);
1879-
WARN_ON_ONCE(!idr_is_empty(&pn->l2tp_v3_session_idr));
18801897
idr_destroy(&pn->l2tp_v3_session_idr);
1881-
WARN_ON_ONCE(!idr_is_empty(&pn->l2tp_tunnel_idr));
18821898
idr_destroy(&pn->l2tp_tunnel_idr);
18831899
}
18841900

0 commit comments

Comments
 (0)