Linux Kernel L2TP Data-Race Vulnerability in Tunnel Deletion Work

A data-race vulnerability has been identified in the Linux kernel's L2TP (Layer 2 Tunneling Protocol) implementation, specifically within the 'l2tp_tunnel_del_work' function. This vulnerability arises from improper handling of socket data when dealing with kernel sockets, leading to a race condition. The issue was reported by syzbot and involves concurrent read and write operations on socket data, which can cause inconsistencies and unpredictable behavior in the network stack.

Impact

Exploitation of this vulnerability can lead to a data race condition, where two tasks concurrently access shared data, causing unexpected behavior. In this case, it can disrupt the proper management of L2TP tunnels and their associated sockets, potentially leading to resource leaks or corruption.

Reproduction

The vulnerability can be reproduced by creating an L2TP tunnel and then concurrently closing the tunnel while the system is processing scheduled work for that tunnel. This can be done by triggering the 'l2tp_tunnel_del_work' function through the workqueue, while simultaneously performing operations that cause the tunnel's socket to be released, such as closing the socket or the file descriptor associated with the tunnel.

Remediation

The vulnerability has been fixed in the official Linux kernel repository. Users should upgrade to the latest version of the Linux kernel to apply this fix.