1. 05 Feb, 2013 1 commit
  2. 08 Jun, 2012 1 commit
  3. 29 May, 2012 1 commit
    • James Chapman's avatar
      l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case · c51ce497
      James Chapman authored
      An application may call connect() to disconnect a socket using an
      address with family AF_UNSPEC. The L2TP IP sockets were not handling
      this case when the socket is not bound and an attempt to connect()
      using AF_UNSPEC in such cases would result in an oops. This patch
      addresses the problem by protecting the sk_prot->disconnect() call
      against trying to unhash the socket before it is bound.
      The L2TP IPv4 and IPv6 sockets have the same problem. Both are fixed
      by this patch.
      The patch also adds more checks that the sockaddr supplied to bind()
      and connect() calls is valid.
       RIP: 0010:[<ffffffff82e133b0>]  [<ffffffff82e133b0>] inet_unhash+0x50/0xd0
       RSP: 0018:ffff88001989be28  EFLAGS: 00010293
        ffff8800407a8000 0000000000000000 ffff88001989be78 ffffffff82e3a249
        ffffffff82e3a050 ffff88001989bec8 ffff88001989be88 ffff8800407a8000
        0000000000000010 ffff88001989bec8 ffff88001989bea8 ffffffff82e42639
       Call Trace:
       [<ffffffff82e3a249>] udp_disconnect+0x1f9/0x290
       [<ffffffff82e42639>] inet_dgram_connect+0x29/0x80
       [<ffffffff82d012fc>] sys_connect+0x9c/0x100
      Reported-by: default avatarSasha Levin <levinsasha928@gmail.com>
      Signed-off-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  4. 17 May, 2012 1 commit
  5. 03 May, 2012 1 commit
    • Sasha Levin's avatar
      net: l2tp: unlock socket lock before returning from l2tp_ip_sendmsg · 84768edb
      Sasha Levin authored
      l2tp_ip_sendmsg could return without releasing socket lock, making it all the
      way to userspace, and generating the following warning:
      [  130.891594] ================================================
      [  130.894569] [ BUG: lock held when returning to user space! ]
      [  130.897257] 3.4.0-rc5-next-20120501-sasha #104 Tainted: G        W
      [  130.900336] ------------------------------------------------
      [  130.902996] trinity/8384 is leaving the kernel with locks still held!
      [  130.906106] 1 lock held by trinity/8384:
      [  130.907924]  #0:  (sk_lock-AF_INET){+.+.+.}, at: [<ffffffff82b9503f>] l2tp_ip_sendmsg+0x2f/0x550
      Introduced by commit 2f16270f
       ("l2tp: Fix locking in l2tp_ip.c").
      Signed-off-by: default avatarSasha Levin <levinsasha928@gmail.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  6. 01 May, 2012 2 commits
  7. 13 Apr, 2012 2 commits
  8. 26 Jan, 2012 1 commit
    • James Chapman's avatar
      l2tp: l2tp_ip - fix possible oops on packet receive · 68315801
      James Chapman authored
      When a packet is received on an L2TP IP socket (L2TPv3 IP link
      encapsulation), the l2tpip socket's backlog_rcv function calls
      xfrm4_policy_check(). This is not necessary, since it was called
      before the skb was added to the backlog. With CONFIG_NET_NS enabled,
      xfrm4_policy_check() will oops if skb->dev is null, so this trivial
      patch removes the call.
      This bug has always been present, but only when CONFIG_NET_NS is
      enabled does it cause problems. Most users are probably using UDP
      encapsulation for L2TP, hence the problem has only recently
      EIP: 0060:[<c12bb62b>] EFLAGS: 00210246 CPU: 0
      EIP is at l2tp_ip_recvmsg+0xd4/0x2a7
      EAX: 00000001 EBX: d77b5180 ECX: 00000000 EDX: 00200246
      ESI: 00000000 EDI: d63cbd30 EBP: d63cbd18 ESP: d63cbcf4
       DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      Call Trace:
       [<c1218568>] sock_common_recvmsg+0x31/0x46
       [<c1215c92>] __sock_recvmsg_nosec+0x45/0x4d
       [<c12163a1>] __sock_recvmsg+0x31/0x3b
       [<c1216828>] sock_recvmsg+0x96/0xab
       [<c10b2693>] ? might_fault+0x47/0x81
       [<c10b2693>] ? might_fault+0x47/0x81
       [<c1167fd0>] ? _copy_from_user+0x31/0x115
       [<c121e8c8>] ? copy_from_user+0x8/0xa
       [<c121ebd6>] ? verify_iovec+0x3e/0x78
       [<c1216604>] __sys_recvmsg+0x10a/0x1aa
       [<c1216792>] ? sock_recvmsg+0x0/0xab
       [<c105a99b>] ? __lock_acquire+0xbdf/0xbee
       [<c12d5a99>] ? do_page_fault+0x193/0x375
       [<c10d1200>] ? fcheck_files+0x9b/0xca
       [<c10d1259>] ? fget_light+0x2a/0x9c
       [<c1216bbb>] sys_recvmsg+0x2b/0x43
       [<c1218145>] sys_socketcall+0x16d/0x1a5
       [<c11679f0>] ? trace_hardirqs_on_thunk+0xc/0x10
       [<c100305f>] sysenter_do_call+0x12/0x38
      Code: c6 05 8c ea a8 c1 01 e8 0c d4 d9 ff 85 f6 74 07 3e ff 86 80 00 00 00 b9 17 b6 2b c1 ba 01 00 00 00 b8 78 ed 48 c1 e8 23 f6 d9 ff <ff> 76 0c 68 28 e3 30 c1 68 2d 44 41 c1 e8 89 57 01 00 83 c4 0c
      Signed-off-by: default avatarJames Chapman <jchapman@katalix.com>
      Acked-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  9. 13 Jun, 2011 1 commit
  10. 08 May, 2011 3 commits
  11. 04 May, 2011 1 commit
  12. 29 Apr, 2011 2 commits
  13. 28 Apr, 2011 2 commits
    • David S. Miller's avatar
      l2tp: Fix inet_opt conversion. · 778865a5
      David S. Miller authored
      We don't actually hold the socket lock at this point, so the
      rcu_dereference_protected() isn't' correct.  Thanks to Eric
      Dumazet for pointing this out.
      Thankfully, we're only interested in fetching the faddr value
      if srr is enabled, so we can simply make this an RCU sequence
      and use plain rcu_dereference().
      Reported-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Eric Dumazet's avatar
      inet: add RCU protection to inet->opt · f6d8bd05
      Eric Dumazet authored
      We lack proper synchronization to manipulate inet->opt ip_options
      Problem is ip_make_skb() calls ip_setup_cork() and
      ip_setup_cork() possibly makes a copy of ipc->opt (struct ip_options),
      without any protection against another thread manipulating inet->opt.
      Another thread can change inet->opt pointer and free old one under us.
      Use RCU to protect inet->opt (changed to inet->inet_opt).
      Instead of handling atomic refcounts, just copy ip_options when
      necessary, to avoid cache line dirtying.
      We cant insert an rcu_head in struct ip_options since its included in
      skb->cb[], so this patch is large because I had to introduce a new
      ip_options_rcu structure.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  14. 27 Apr, 2011 2 commits
    • David S. Miller's avatar
      ipv4: Sanitize and simplify ip_route_{connect,newports}() · 2d7192d6
      David S. Miller authored
      These functions are used together as a unit for route resolution
      during connect().  They address the chicken-and-egg problem that
      exists when ports need to be allocated during connect() processing,
      yet such port allocations require addressing information from the
      routing code.
      It's currently more heavy handed than it needs to be, and in
      particular we allocate and initialize a flow object twice.
      Let the callers provide the on-stack flow object.  That way we only
      need to initialize it once in the ip_route_connect() call.
      Later, if ip_route_newports() needs to do anything, it re-uses that
      flow object as-is except for the ports which it updates before the
      route re-lookup.
      Also, describe why this set of facilities are needed and how it works
      in a big comment.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Reviewed-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
    • Lucas De Marchi's avatar
      Revert wrong fixes for common misspellings · e9c54999
      Lucas De Marchi authored
      These changes were incorrectly fixed by codespell. They were now
      manually corrected.
      Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@profusion.mobi>
  15. 12 Mar, 2011 1 commit
  16. 02 Mar, 2011 1 commit
  17. 01 Mar, 2011 3 commits
  18. 08 Dec, 2010 1 commit
  19. 17 Nov, 2010 1 commit
  20. 24 Oct, 2010 1 commit
  21. 21 Oct, 2010 1 commit
  22. 11 Jun, 2010 1 commit
  23. 16 Apr, 2010 1 commit
  24. 03 Apr, 2010 1 commit
    • James Chapman's avatar
      l2tp: Add L2TPv3 IP encapsulation (no UDP) support · 0d76751f
      James Chapman authored
      This patch adds a new L2TPIP socket family and modifies the core to
      handle the case where there is no UDP header in the L2TP
      packet. L2TP/IP uses IP protocol 115. Since L2TP/UDP and L2TP/IP
      packets differ in layout, the datapath packet handling code needs
      changes too. Userspace uses an L2TPIP socket instead of a UDP socket
      when IP encapsulation is required.
      We can't use raw sockets for this because the semantics of raw sockets
      don't lend themselves to the socket-per-tunnel model - we need to
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>