[PATCH 2/8] net: l2tp: Make l2tp_ip6 namespace aware

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Will Deacon <will@kernel.org>
To: gregkh@linuxfoundation.org
Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-team@android.com, g.nault@alphalink.fr,
	Shmulik Ladkani <shmulik.ladkani@gmail.com>,
	"David S . Miller" <davem@davemloft.net>,
	Will Deacon <will@kernel.org>
Subject: [PATCH 2/8] net: l2tp: Make l2tp_ip6 namespace aware
Date: Thu,  2 Apr 2020 18:32:44 +0100	[thread overview]
Message-ID: <20200402173250.7858-3-will@kernel.org> (raw)
In-Reply-To: <20200402173250.7858-1-will@kernel.org>

From: Shmulik Ladkani <shmulik.ladkani@gmail.com>

commit 0e6b5259824e97a0f7e7b450421ff12865d3b0e2 upstream.

l2tp_ip6 tunnel and session lookups were still using init_net, although
the l2tp core infrastructure already supports lookups keyed by 'net'.

As a result, l2tp_ip6_recv discarded packets for tunnels/sessions
created in namespaces other than the init_net.

Fix, by using dev_net(skb->dev) or sock_net(sk) where appropriate.

Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Will Deacon <will@kernel.org>
---
 net/l2tp/l2tp_ip6.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index a88649c5d26c..391dd9d8144f 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -127,6 +127,7 @@ static inline struct sock *l2tp_ip6_bind_lookup(struct net *net,
  */
 static int l2tp_ip6_recv(struct sk_buff *skb)
 {
+	struct net *net = dev_net(skb->dev);
 	struct sock *sk;
 	u32 session_id;
 	u32 tunnel_id;
@@ -153,7 +154,7 @@ static int l2tp_ip6_recv(struct sk_buff *skb)
 	}
 
 	/* Ok, this is a data packet. Lookup the session. */
-	session = l2tp_session_find(&init_net, NULL, session_id);
+	session = l2tp_session_find(net, NULL, session_id);
 	if (session == NULL)
 		goto discard;
 
@@ -190,7 +191,7 @@ pass_up:
 		goto discard;
 
 	tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
-	tunnel = l2tp_tunnel_find(&init_net, tunnel_id);
+	tunnel = l2tp_tunnel_find(net, tunnel_id);
 	if (tunnel) {
 		sk = tunnel->sock;
 		sock_hold(sk);
@@ -198,7 +199,7 @@ pass_up:
 		struct ipv6hdr *iph = ipv6_hdr(skb);
 
 		read_lock_bh(&l2tp_ip6_lock);
-		sk = __l2tp_ip6_bind_lookup(&init_net, &iph->daddr,
+		sk = __l2tp_ip6_bind_lookup(net, &iph->daddr,
 					    0, tunnel_id);
 		if (!sk) {
 			read_unlock_bh(&l2tp_ip6_lock);
@@ -267,6 +268,7 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 	struct inet_sock *inet = inet_sk(sk);
 	struct ipv6_pinfo *np = inet6_sk(sk);
 	struct sockaddr_l2tpip6 *addr = (struct sockaddr_l2tpip6 *) uaddr;
+	struct net *net = sock_net(sk);
 	__be32 v4addr = 0;
 	int addr_type;
 	int err;
@@ -288,7 +290,7 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 
 	err = -EADDRINUSE;
 	read_lock_bh(&l2tp_ip6_lock);
-	if (__l2tp_ip6_bind_lookup(&init_net, &addr->l2tp_addr,
+	if (__l2tp_ip6_bind_lookup(net, &addr->l2tp_addr,
 				   sk->sk_bound_dev_if, addr->l2tp_conn_id))
 		goto out_in_use;
 	read_unlock_bh(&l2tp_ip6_lock);
@@ -461,7 +463,7 @@ static int l2tp_ip6_backlog_recv(struct sock *sk, struct sk_buff *skb)
 	return 0;
 
 drop:
-	IP_INC_STATS(&init_net, IPSTATS_MIB_INDISCARDS);
+	IP_INC_STATS(sock_net(sk), IPSTATS_MIB_INDISCARDS);
 	kfree_skb(skb);
 	return -1;
 }
-- 
2.26.0.rc2.310.g2932bb562d-goog

next prev parent reply	other threads:[~2020-04-02 17:33 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-02 17:32 [PATCH 0/8] [backports] l2tp use-after-free fixes for 4.4 stable Will Deacon
2020-04-02 17:32 ` [PATCH 1/8] l2tp: Correctly return -EBADF from pppol2tp_getname Will Deacon
2020-04-02 17:32 ` Will Deacon [this message]
2020-04-02 17:32 ` [PATCH 3/8] l2tp: fix race in l2tp_recv_common() Will Deacon
2020-04-02 17:32 ` [PATCH 4/8] l2tp: ensure session can't get removed during pppol2tp_session_ioctl() Will Deacon
2020-04-02 17:32 ` [PATCH 5/8] l2tp: fix duplicate session creation Will Deacon
2020-04-02 17:32 ` [PATCH 6/8] l2tp: Refactor the codes with existing macros instead of literal number Will Deacon
2020-04-02 17:32 ` [PATCH 7/8] l2tp: ensure sessions are freed after their PPPOL2TP socket Will Deacon
2020-04-02 17:32 ` [PATCH 8/8] l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall() Will Deacon
2020-04-03 12:45 ` [PATCH 0/8] [backports] l2tp use-after-free fixes for 4.4 stable Greg KH
2020-04-03 13:22   ` Will Deacon

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a88649c5d26 dfblob:391dd9d8144 )
 OR (
bs:"[PATCH 2/8] net: l2tp: Make l2tp_ip6 namespace aware" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200402173250.7858-3-will@kernel.org \
    --to=will@kernel.org \
    --cc=davem@davemloft.net \
    --cc=g.nault@alphalink.fr \
    --cc=gregkh@linuxfoundation.org \
    --cc=kernel-team@android.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=shmulik.ladkani@gmail.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.