1. 23 8月, 2020 1 次提交
  2. 25 7月, 2020 3 次提交
    • T
      l2tp: don't BUG_ON seqfile checks in l2tp_ppp · ebb4f5e6
      Tom Parkin 提交于
      checkpatch advises that WARN_ON and recovery code are preferred over
      BUG_ON which crashes the kernel.
      
      l2tp_ppp has a BUG_ON check of struct seq_file's private pointer in
      pppol2tp_seq_start prior to accessing data through that pointer.
      
      Rather than crashing, we can simply bail out early and return NULL in
      order to terminate the seq file processing in much the same way as we do
      when reaching the end of tunnel/session instances to render.
      
      Retain a WARN_ON to help trace possible bugs in this area.
      Signed-off-by: NTom Parkin <tparkin@katalix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ebb4f5e6
    • T
      l2tp: don't BUG_ON session magic checks in l2tp_ppp · 1aa646ac
      Tom Parkin 提交于
      checkpatch advises that WARN_ON and recovery code are preferred over
      BUG_ON which crashes the kernel.
      
      l2tp_ppp.c's BUG_ON checks of the l2tp session structure's "magic" field
      occur in code paths where it's reasonably easy to recover:
      
       * In the case of pppol2tp_sock_to_session, we can return NULL and the
         caller will bail out appropriately.  There is no change required to
         any of the callsites of this function since they already handle
         pppol2tp_sock_to_session returning NULL.
      
       * In the case of pppol2tp_session_destruct we can just avoid
         decrementing the reference count on the suspect session structure.
         In the worst case scenario this results in a memory leak, which is
         preferable to a crash.
      
      Convert these uses of BUG_ON to WARN_ON accordingly.
      Signed-off-by: NTom Parkin <tparkin@katalix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1aa646ac
    • C
      net: pass a sockptr_t into ->setsockopt · a7b75c5a
      Christoph Hellwig 提交于
      Rework the remaining setsockopt code to pass a sockptr_t instead of a
      plain user pointer.  This removes the last remaining set_fs(KERNEL_DS)
      outside of architecture specific code.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Acked-by: Stefan Schmidt <stefan@datenfreihafen.org> [ieee802154]
      Acked-by: NMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a7b75c5a
  3. 24 7月, 2020 2 次提交
  4. 23 7月, 2020 4 次提交
  5. 31 7月, 2019 1 次提交
    • A
      compat_ioctl: pppoe: fix PPPOEIOCSFWD handling · 055d8824
      Arnd Bergmann 提交于
      Support for handling the PPPOEIOCSFWD ioctl in compat mode was added in
      linux-2.5.69 along with hundreds of other commands, but was always broken
      sincen only the structure is compatible, but the command number is not,
      due to the size being sizeof(size_t), or at first sizeof(sizeof((struct
      sockaddr_pppox)), which is different on 64-bit architectures.
      
      Guillaume Nault adds:
      
        And the implementation was broken until 2016 (see 29e73269 ("pppoe:
        fix reference counting in PPPoE proxy")), and nobody ever noticed. I
        should probably have removed this ioctl entirely instead of fixing it.
        Clearly, it has never been used.
      
      Fix it by adding a compat_ioctl handler for all pppoe variants that
      translates the command number and then calls the regular ioctl function.
      
      All other ioctl commands handled by pppoe are compatible between 32-bit
      and 64-bit, and require compat_ptr() conversion.
      
      This should apply to all stable kernels.
      Acked-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      055d8824
  6. 31 5月, 2019 1 次提交
  7. 19 4月, 2019 1 次提交
  8. 21 12月, 2018 1 次提交
    • S
      ppp: Move PFC decompression to PPP generic layer · 7fb1b8ca
      Sam Protsenko 提交于
      Extract "Protocol" field decompression code from transport protocols to
      PPP generic layer, where it actually belongs. As a consequence, this
      patch fixes incorrect place of PFC decompression in L2TP driver (when
      it's not PPPOX_BOUND) and also enables this decompression for other
      protocols, like PPPoE.
      
      Protocol field decompression also happens in PPP Multilink Protocol
      code and in PPP compression protocols implementations (bsd, deflate,
      mppe). It looks like there is no easy way to get rid of that, so it was
      decided to leave it as is, but provide those cases with appropriate
      comments instead.
      
      Changes in v2:
        - Fix the order of checking skb data room and proto decompression
        - Remove "inline" keyword from ppp_decompress_proto()
        - Don't split line before function name
        - Prefix ppp_decompress_proto() function with "__"
        - Add ppp_decompress_proto() function with skb data room checks
        - Add description for introduced functions
        - Fix comments (as per review on mailing list)
      Signed-off-by: NSam Protsenko <semen.protsenko@linaro.org>
      Reviewed-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7fb1b8ca
  9. 16 12月, 2018 1 次提交
    • S
      l2tp: Add protocol field decompression · c151acc6
      Sam Protsenko 提交于
      When Protocol Field Compression (PFC) is enabled, the "Protocol" field
      in PPP packet will be received without leading 0x00. See section 6.5 in
      RFC 1661 for details. So let's decompress protocol field if needed, the
      same way it's done in drivers/net/ppp/pptp.c.
      
      In case when "nopcomp" pppd option is not enabled, PFC (pcomp) can be
      negotiated during LCP handshake, and L2TP driver in kernel will receive
      PPP packets with compressed Protocol field, which in turn leads to next
      error:
      
          Protocol Rejected (unsupported protocol 0x2145)
      
      because instead of Protocol=0x0021 in PPP packet there will be
      Protocol=0x21. This patch unwraps it back to 0x0021, which fixes the
      issue.
      
      Sending the compressed Protocol field will be implemented in subsequent
      patch, this one is self-sufficient.
      Signed-off-by: NSam Protsenko <semen.protsenko@linaro.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c151acc6
  10. 14 8月, 2018 1 次提交
    • A
      l2tp: fix unused function warning · c2ebc256
      Arnd Bergmann 提交于
      Removing one of the callers of pppol2tp_session_get_sock caused a harmless
      warning in some configurations:
      
      net/l2tp/l2tp_ppp.c:142:21: 'pppol2tp_session_get_sock' defined but not used [-Wunused-function]
      
      Rather than adding another #ifdef here, using a proper IS_ENABLED()
      check makes the code more readable and avoids those warnings while
      letting the compiler figure out for itself which code is needed.
      
      This adds one pointer for the unused show() callback in struct
      l2tp_session, but that seems harmless.
      
      Fixes: b0e29063 ("l2tp: remove pppol2tp_session_ioctl()")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c2ebc256
  11. 12 8月, 2018 8 次提交
  12. 04 8月, 2018 3 次提交
    • G
      l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() · f664e37d
      Guillaume Nault 提交于
      If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
      drop the reference taken by l2tp_session_get().
      
      Fixes: ecd012e4 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f664e37d
    • G
      l2tp: simplify MTU handling in l2tp_ppp · 789141b2
      Guillaume Nault 提交于
      The value of the session's .mtu field, as defined by
      pppol2tp_connect() or pppol2tp_session_create(), is later overwritten
      by pppol2tp_session_init() (unless getting the tunnel's socket PMTU
      fails). This field is then only used when setting the PPP channel's MTU
      in pppol2tp_connect().
      Furthermore, the SIOC[GS]IFMTU ioctls only act on the session's .mtu
      without propagating this value to the PPP channel, making them useless.
      
      This patch initialises the PPP channel's MTU directly and ignores the
      session's .mtu entirely. MTU is still computed by subtracting the
      PPPOL2TP_HEADER_OVERHEAD constant. It is not optimal, but that doesn't
      really matter: po->chan.mtu is only used when the channel is part of a
      multilink PPP bundle. Running multilink PPP over packet switched
      networks is certainly not going to be efficient, so not picking the
      best MTU does not harm (in the worst case, packets will just be
      fragmented by the underlay).
      
      The SIOC[GS]IFMTU ioctls are removed entirely (as opposed to simply
      ignored), because these ioctls commands are part of the requests that
      should be handled generically by the socket layer. PX_PROTO_OL2TP was
      the only socket type abusing these ioctls.
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      789141b2
    • G
      l2tp: define l2tp_tunnel_dst_mtu() · 1f5cd2a0
      Guillaume Nault 提交于
      Consolidate retrieval of tunnel's socket mtu in order to simplify
      l2tp_eth and l2tp_ppp a bit.
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1f5cd2a0
  13. 28 7月, 2018 2 次提交
  14. 27 7月, 2018 1 次提交
    • G
      l2tp: remove ->recv_payload_hook · 2b139e6b
      Guillaume Nault 提交于
      The tunnel reception hook is only used by l2tp_ppp for skipping PPP
      framing bytes. This is a session specific operation, but once a PPP
      session sets ->recv_payload_hook on its tunnel, all frames received by
      the tunnel will enter pppol2tp_recv_payload_hook(), including those
      targeted at Ethernet sessions (an L2TPv3 tunnel can multiplex PPP and
      Ethernet sessions).
      
      So this mechanism is wrong, and uselessly complex. Let's just move this
      functionality to the pppol2tp rx handler and drop ->recv_payload_hook.
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2b139e6b
  15. 29 6月, 2018 1 次提交
    • L
      Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL · a11e1d43
      Linus Torvalds 提交于
      The poll() changes were not well thought out, and completely
      unexplained.  They also caused a huge performance regression, because
      "->poll()" was no longer a trivial file operation that just called down
      to the underlying file operations, but instead did at least two indirect
      calls.
      
      Indirect calls are sadly slow now with the Spectre mitigation, but the
      performance problem could at least be largely mitigated by changing the
      "->get_poll_head()" operation to just have a per-file-descriptor pointer
      to the poll head instead.  That gets rid of one of the new indirections.
      
      But that doesn't fix the new complexity that is completely unwarranted
      for the regular case.  The (undocumented) reason for the poll() changes
      was some alleged AIO poll race fixing, but we don't make the common case
      slower and more complex for some uncommon special case, so this all
      really needs way more explanations and most likely a fundamental
      redesign.
      
      [ This revert is a revert of about 30 different commits, not reverted
        individually because that would just be unnecessarily messy  - Linus ]
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a11e1d43
  16. 28 6月, 2018 1 次提交
    • G
      l2tp: define helper for parsing struct sockaddr_pppol2tp* · a408194a
      Guillaume Nault 提交于
      'sockaddr_len' is checked against various values when entering
      pppol2tp_connect(), to verify its validity. It is used again later, to
      find out which sockaddr structure was passed from user space. This
      patch combines these two operations into one new function in order to
      simplify pppol2tp_connect().
      
      A new structure, l2tp_connect_info, is used to pass sockaddr data back
      to pppol2tp_connect(), to avoid passing too many parameters to
      l2tp_sockaddr_get_info(). Also, the first parameter is void* in order
      to avoid casting between all sockaddr_* structures manually.
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a408194a
  17. 26 6月, 2018 1 次提交
  18. 16 6月, 2018 1 次提交
  19. 15 6月, 2018 4 次提交
  20. 05 6月, 2018 1 次提交
    • G
      l2tp: fix refcount leakage on PPPoL2TP sockets · 3d609342
      Guillaume Nault 提交于
      Commit d02ba2a6 ("l2tp: fix race in pppol2tp_release with session
      object destroy") tried to fix a race condition where a PPPoL2TP socket
      would disappear while the L2TP session was still using it. However, it
      missed the root issue which is that an L2TP session may accept to be
      reconnected if its associated socket has entered the release process.
      
      The tentative fix makes the session hold the socket it is connected to.
      That saves the kernel from crashing, but introduces refcount leakage,
      preventing the socket from completing the release process. Once stalled,
      everything the socket depends on can't be released anymore, including
      the L2TP session and the l2tp_ppp module.
      
      The root issue is that, when releasing a connected PPPoL2TP socket, the
      session's ->sk pointer (RCU-protected) is reset to NULL and we have to
      wait for a grace period before destroying the socket. The socket drops
      the session in its ->sk_destruct callback function, so the session
      will exist until the last reference on the socket is dropped.
      Therefore, there is a time frame where pppol2tp_connect() may accept
      reconnecting a session, as it only checks ->sk to figure out if the
      session is connected. This time frame is shortened by the fact that
      pppol2tp_release() calls l2tp_session_delete(), making the session
      unreachable before resetting ->sk. However, pppol2tp_connect() may
      grab the session before it gets unhashed by l2tp_session_delete(), but
      it may test ->sk after the later got reset. The race is not so hard to
      trigger and syzbot found a pretty reliable reproducer:
      https://syzkaller.appspot.com/bug?id=418578d2a4389074524e04d641eacb091961b2cf
      
      Before d02ba2a6, another race could let pppol2tp_release()
      overwrite the ->__sk pointer of an L2TP session, thus tricking
      pppol2tp_put_sk() into calling sock_put() on a socket that is different
      than the one for which pppol2tp_release() was originally called. To get
      there, we had to trigger the race described above, therefore having one
      PPPoL2TP socket being released, while the session it is connected to is
      reconnecting to a different PPPoL2TP socket. When releasing this new
      socket fast enough, pppol2tp_release() overwrites the session's
      ->__sk pointer with the address of the new socket, before the first
      pppol2tp_put_sk() call gets scheduled. Then the pppol2tp_put_sk() call
      invoked by the original socket will sock_put() the new socket,
      potentially dropping its last reference. When the second
      pppol2tp_put_sk() finally runs, its socket has already been freed.
      
      With d02ba2a6, the session takes a reference on both sockets.
      Furthermore, the session's ->sk pointer is reset in the
      pppol2tp_session_close() callback function rather than in
      pppol2tp_release(). Therefore, ->__sk can't be overwritten and
      pppol2tp_put_sk() is called only once (l2tp_session_delete() will only
      run pppol2tp_session_close() once, to protect the session against
      concurrent deletion requests). Now pppol2tp_put_sk() will properly
      sock_put() the original socket, but the new socket will remain, as
      l2tp_session_delete() prevented the release process from completing.
      Here, we don't depend on the ->__sk race to trigger the bug. Getting
      into the pppol2tp_connect() race is enough to leak the reference, no
      matter when new socket is released.
      
      So it all boils down to pppol2tp_connect() failing to realise that the
      session has already been connected. This patch drops the unneeded extra
      reference counting (mostly reverting d02ba2a6) and checks that
      neither ->sk nor ->__sk is set before allowing a session to be
      connected.
      
      Fixes: d02ba2a6 ("l2tp: fix race in pppol2tp_release with session object destroy")
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3d609342
  21. 26 5月, 2018 1 次提交