From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.14 13/37] l2tp: fix race while getting PMTU on PPP pseudo-wire
Date: Mon, 13 Oct 2014 04:24:10 +0200 [thread overview]
Message-ID: <20141013022400.855632202@linuxfoundation.org> (raw)
In-Reply-To: <20141013022400.286360067@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <g.nault@alphalink.fr>
[ Upstream commit eed4d839b0cdf9d84b0a9bc63de90fd5e1e886fb ]
Use dst_entry held by sk_dst_get() to retrieve tunnel's PMTU.
The dst_mtu(__sk_dst_get(tunnel->sock)) call was racy. __sk_dst_get()
could return NULL if tunnel->sock->sk_dst_cache was reset just before the
call, thus making dst_mtu() dereference a NULL pointer:
[ 1937.661598] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
[ 1937.664005] IP: [<ffffffffa049db88>] pppol2tp_connect+0x33d/0x41e [l2tp_ppp]
[ 1937.664005] PGD daf0c067 PUD d9f93067 PMD 0
[ 1937.664005] Oops: 0000 [#1] SMP
[ 1937.664005] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core ip6table_filter ip6_tables iptable_filter ip_tables ebtable_nat ebtables x_tables udp_tunnel pppoe pppox ppp_generic slhc deflate ctr twofish_generic twofish_x86_64_3way xts lrw gf128mul glue_helper twofish_x86_64 twofish_common blowfish_generic blowfish_x86_64 blowfish_common des_generic cbc xcbc rmd160 sha512_generic hmac crypto_null af_key xfrm_algo 8021q garp bridge stp llc tun atmtcp clip atm ext3 mbcache jbd iTCO_wdt coretemp kvm_intel iTCO_vendor_support kvm pcspkr evdev ehci_pci lpc_ich mfd_core i5400_edac edac_core i5k_amb shpchp button processor thermal_sys xfs crc32c_generic libcrc32c dm_mod usbhid sg hid sr_mod sd_mod cdrom crc_t10dif crct10dif_common ata_generic ahci ata_piix tg3 libahci libata uhci_hcd ptp ehci_hcd pps_core usbcore scsi_mod libphy usb_common [last unloaded: l2tp_core]
[ 1937.664005] CPU: 0 PID: 10022 Comm: l2tpstress Tainted: G O 3.17.0-rc1 #1
[ 1937.664005] Hardware name: HP ProLiant DL160 G5, BIOS O12 08/22/2008
[ 1937.664005] task: ffff8800d8fda790 ti: ffff8800c43c4000 task.ti: ffff8800c43c4000
[ 1937.664005] RIP: 0010:[<ffffffffa049db88>] [<ffffffffa049db88>] pppol2tp_connect+0x33d/0x41e [l2tp_ppp]
[ 1937.664005] RSP: 0018:ffff8800c43c7de8 EFLAGS: 00010282
[ 1937.664005] RAX: ffff8800da8a7240 RBX: ffff8800d8c64600 RCX: 000001c325a137b5
[ 1937.664005] RDX: 8c6318c6318c6320 RSI: 000000000000010c RDI: 0000000000000000
[ 1937.664005] RBP: ffff8800c43c7ea8 R08: 0000000000000000 R09: 0000000000000000
[ 1937.664005] R10: ffffffffa048e2c0 R11: ffff8800d8c64600 R12: ffff8800ca7a5000
[ 1937.664005] R13: ffff8800c439bf40 R14: 000000000000000c R15: 0000000000000009
[ 1937.664005] FS: 00007fd7f610f700(0000) GS:ffff88011a600000(0000) knlGS:0000000000000000
[ 1937.664005] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1937.664005] CR2: 0000000000000020 CR3: 00000000d9d75000 CR4: 00000000000027e0
[ 1937.664005] Stack:
[ 1937.664005] ffffffffa049da80 ffff8800d8fda790 000000000000005b ffff880000000009
[ 1937.664005] ffff8800daf3f200 0000000000000003 ffff8800c43c7e48 ffffffff81109b57
[ 1937.664005] ffffffff81109b0e ffffffff8114c566 0000000000000000 0000000000000000
[ 1937.664005] Call Trace:
[ 1937.664005] [<ffffffffa049da80>] ? pppol2tp_connect+0x235/0x41e [l2tp_ppp]
[ 1937.664005] [<ffffffff81109b57>] ? might_fault+0x9e/0xa5
[ 1937.664005] [<ffffffff81109b0e>] ? might_fault+0x55/0xa5
[ 1937.664005] [<ffffffff8114c566>] ? rcu_read_unlock+0x1c/0x26
[ 1937.664005] [<ffffffff81309196>] SYSC_connect+0x87/0xb1
[ 1937.664005] [<ffffffff813e56f7>] ? sysret_check+0x1b/0x56
[ 1937.664005] [<ffffffff8107590d>] ? trace_hardirqs_on_caller+0x145/0x1a1
[ 1937.664005] [<ffffffff81213dee>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 1937.664005] [<ffffffff8114c262>] ? spin_lock+0x9/0xb
[ 1937.664005] [<ffffffff813092b4>] SyS_connect+0x9/0xb
[ 1937.664005] [<ffffffff813e56d2>] system_call_fastpath+0x16/0x1b
[ 1937.664005] Code: 10 2a 84 81 e8 65 76 bd e0 65 ff 0c 25 10 bb 00 00 4d 85 ed 74 37 48 8b 85 60 ff ff ff 48 8b 80 88 01 00 00 48 8b b8 10 02 00 00 <48> 8b 47 20 ff 50 20 85 c0 74 0f 83 e8 28 89 83 10 01 00 00 89
[ 1937.664005] RIP [<ffffffffa049db88>] pppol2tp_connect+0x33d/0x41e [l2tp_ppp]
[ 1937.664005] RSP <ffff8800c43c7de8>
[ 1937.664005] CR2: 0000000000000020
[ 1939.559375] ---[ end trace 82d44500f28f8708 ]---
Fixes: f34c4a35d879 ("l2tp: take PMTU from tunnel UDP socket")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/l2tp/l2tp_ppp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -758,7 +758,8 @@ static int pppol2tp_connect(struct socke
/* If PMTU discovery was enabled, use the MTU that was discovered */
dst = sk_dst_get(tunnel->sock);
if (dst != NULL) {
- u32 pmtu = dst_mtu(__sk_dst_get(tunnel->sock));
+ u32 pmtu = dst_mtu(dst);
+
if (pmtu != 0)
session->mtu = session->mru = pmtu -
PPPOL2TP_HEADER_OVERHEAD;
next prev parent reply other threads:[~2014-10-13 2:57 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-13 2:23 [PATCH 3.14 00/37] 3.14.22-stable review Greg Kroah-Hartman
2014-10-13 2:23 ` [PATCH 3.14 01/37] netlink: reset network header before passing to taps Greg Kroah-Hartman
2014-10-13 2:23 ` [PATCH 3.14 02/37] rtnetlink: fix VF info size Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 03/37] net: Always untag vlan-tagged traffic on input Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 04/37] myri10ge: check for DMA mapping errors Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 05/37] i40e: Dont stop driver probe when querying DCB config fails Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 06/37] tcp: dont use timestamp from repaired skb-s to calculate RTT (v2) Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 07/37] sit: Fix ipip6_tunnel_lookup device matching criteria Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 08/37] tcp: fix tcp_release_cb() to dispatch via address family for mtu_reduced() Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 09/37] tcp: fix ssthresh and undo for consecutive short FRTO episodes Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 10/37] packet: handle too big packets for PACKET_V3 Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 11/37] openvswitch: fix panic with multiple vlan headers Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 12/37] vxlan: fix incorrect initializer in union vxlan_addr Greg Kroah-Hartman
2014-10-13 2:24 ` Greg Kroah-Hartman [this message]
2014-10-13 2:24 ` [PATCH 3.14 14/37] ipv6: fix rtnl locking in setsockopt for anycast and multicast Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 15/37] bonding: fix div by zero while enslaving and transmitting Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 16/37] ipv6: restore the behavior of ipv6_sock_ac_drop() Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 17/37] bridge: Check if vlan filtering is enabled only once Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 18/37] bridge: Fix br_should_learn to check vlan_enabled Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 19/37] net: allow macvlans to move to net namespace Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 20/37] tg3: Work around HW/FW limitations with vlan encapsulated frames Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 21/37] tg3: Allow for recieve of full-size 8021AD frames Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 22/37] xfrm: Generate blackhole routes only from route lookup functions Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 23/37] xfrm: Generate queueing " Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 24/37] macvtap: Fix race between device delete and open Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 25/37] Revert "net/macb: add pinctrl consumer support" Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 26/37] gro: fix aggregation for skb using frag_list Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 27/37] hyperv: Fix a bug in netvsc_start_xmit() Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 28/37] ip6_gre: fix flowi6_proto value in xmit path Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 29/37] team: avoid race condition in scheduling delayed work Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 30/37] sctp: handle association restarts when the socket is closed Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 31/37] tcp: fixing TLPs FIN recovery Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 32/37] USB: Add device quirk for ASUS T100 Base Station keyboard Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 33/37] USB: serial: cp210x: added Ketra N1 wireless interface support Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 34/37] USB: cp210x: add support for Seluxit USB dongle Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 35/37] usb: musb: dsps: kill OTG timer on suspend Greg Kroah-Hartman
2014-10-13 2:24 ` [PATCH 3.14 36/37] crypto: caam - fix addressing of struct member Greg Kroah-Hartman
2014-10-14 8:31 ` Cristian Stoica
2014-10-14 8:38 ` Greg Kroah-Hartman
2014-10-14 8:48 ` Cristian Stoica
2014-10-13 2:24 ` [PATCH 3.14 37/37] serial: 8250: Add Quark X1000 to 8250_pci.c Greg Kroah-Hartman
2014-10-13 15:18 ` [PATCH 3.14 00/37] 3.14.22-stable review Guenter Roeck
2014-10-13 20:31 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141013022400.855632202@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=g.nault@alphalink.fr \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.