• James Chapman's avatar
    l2tp: l2tp_ip - fix possible oops on packet receive · 68315801
    James Chapman authored
    When a packet is received on an L2TP IP socket (L2TPv3 IP link
    encapsulation), the l2tpip socket's backlog_rcv function calls
    xfrm4_policy_check(). This is not necessary, since it was called
    before the skb was added to the backlog. With CONFIG_NET_NS enabled,
    xfrm4_policy_check() will oops if skb->dev is null, so this trivial
    patch removes the call.
    This bug has always been present, but only when CONFIG_NET_NS is
    enabled does it cause problems. Most users are probably using UDP
    encapsulation for L2TP, hence the problem has only recently
    EIP: 0060:[<c12bb62b>] EFLAGS: 00210246 CPU: 0
    EIP is at l2tp_ip_recvmsg+0xd4/0x2a7
    EAX: 00000001 EBX: d77b5180 ECX: 00000000 EDX: 00200246
    ESI: 00000000 EDI: d63cbd30 EBP: d63cbd18 ESP: d63cbcf4
     DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
    Call Trace:
     [<c1218568>] sock_common_recvmsg+0x31/0x46
     [<c1215c92>] __sock_recvmsg_nosec+0x45/0x4d
     [<c12163a1>] __sock_recvmsg+0x31/0x3b
     [<c1216828>] sock_recvmsg+0x96/0xab
     [<c10b2693>] ? might_fault+0x47/0x81
     [<c10b2693>] ? might_fault+0x47/0x81
     [<c1167fd0>] ? _copy_from_user+0x31/0x115
     [<c121e8c8>] ? copy_from_user+0x8/0xa
     [<c121ebd6>] ? verify_iovec+0x3e/0x78
     [<c1216604>] __sys_recvmsg+0x10a/0x1aa
     [<c1216792>] ? sock_recvmsg+0x0/0xab
     [<c105a99b>] ? __lock_acquire+0xbdf/0xbee
     [<c12d5a99>] ? do_page_fault+0x193/0x375
     [<c10d1200>] ? fcheck_files+0x9b/0xca
     [<c10d1259>] ? fget_light+0x2a/0x9c
     [<c1216bbb>] sys_recvmsg+0x2b/0x43
     [<c1218145>] sys_socketcall+0x16d/0x1a5
     [<c11679f0>] ? trace_hardirqs_on_thunk+0xc/0x10
     [<c100305f>] sysenter_do_call+0x12/0x38
    Code: c6 05 8c ea a8 c1 01 e8 0c d4 d9 ff 85 f6 74 07 3e ff 86 80 00 00 00 b9 17 b6 2b c1 ba 01 00 00 00 b8 78 ed 48 c1 e8 23 f6 d9 ff <ff> 76 0c 68 28 e3 30 c1 68 2d 44 41 c1 e8 89 57 01 00 83 c4 0c
    Signed-off-by: default avatarJames Chapman <jchapman@katalix.com>
    Acked-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
l2tp_ip.c 16.5 KB