[PATCH 1/1] l2tp: l2tp_ip - fix possible oops on packet receive

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 1/1] l2tp: l2tp_ip - fix possible oops on packet receive
@ 2012-01-25 12:39 James Chapman
  2012-01-25 13:06 ` Eric Dumazet
  0 siblings, 1 reply; 3+ messages in thread
From: James Chapman @ 2012-01-25 12:39 UTC (permalink / raw)
  To: netdev; +Cc: James Chapman

When a packet is received on an L2TP IP socket (L2TPv3 IP link
encapsulation), the l2tpip socket's backlog_rcv function calls
xfrm4_policy_check(). This is not necessary, since it was called
before the skb was added to the backlog. With CONFIG_NET_NS enabled,
xfrm4_policy_check() will oops if skb->dev is null, so this trivial
patch removes the call.

This bug has always been present, but only when CONFIG_NET_NS is
enabled does it cause problems. Most users are probably using UDP
encapsulation for L2TP, hence the problem has only recently
surfaced.

EIP: 0060:[<c12bb62b>] EFLAGS: 00210246 CPU: 0
EIP is at l2tp_ip_recvmsg+0xd4/0x2a7
EAX: 00000001 EBX: d77b5180 ECX: 00000000 EDX: 00200246
ESI: 00000000 EDI: d63cbd30 EBP: d63cbd18 ESP: d63cbcf4
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Call Trace:
 [<c1218568>] sock_common_recvmsg+0x31/0x46
 [<c1215c92>] __sock_recvmsg_nosec+0x45/0x4d
 [<c12163a1>] __sock_recvmsg+0x31/0x3b
 [<c1216828>] sock_recvmsg+0x96/0xab
 [<c10b2693>] ? might_fault+0x47/0x81
 [<c10b2693>] ? might_fault+0x47/0x81
 [<c1167fd0>] ? _copy_from_user+0x31/0x115
 [<c121e8c8>] ? copy_from_user+0x8/0xa
 [<c121ebd6>] ? verify_iovec+0x3e/0x78
 [<c1216604>] __sys_recvmsg+0x10a/0x1aa
 [<c1216792>] ? sock_recvmsg+0x0/0xab
 [<c105a99b>] ? __lock_acquire+0xbdf/0xbee
 [<c12d5a99>] ? do_page_fault+0x193/0x375
 [<c10d1200>] ? fcheck_files+0x9b/0xca
 [<c10d1259>] ? fget_light+0x2a/0x9c
 [<c1216bbb>] sys_recvmsg+0x2b/0x43
 [<c1218145>] sys_socketcall+0x16d/0x1a5
 [<c11679f0>] ? trace_hardirqs_on_thunk+0xc/0x10
 [<c100305f>] sysenter_do_call+0x12/0x38
Code: c6 05 8c ea a8 c1 01 e8 0c d4 d9 ff 85 f6 74 07 3e ff 86 80 00 00 00 b9 17 b6 2b c1 ba 01 00 00 00 b8 78 ed 48 c1 e8 23 f6 d9 ff <ff> 76 0c 68 28 e3 30 c1 68 2d 44 41 c1 e8 89 57 01 00 83 c4 0c

Signed-off-by: James Chapman <jchapman@katalix.com>

---

Push to stable trees too?
---
 net/l2tp/l2tp_ip.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index d21e7eb..55670ec 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -393,11 +393,6 @@ static int l2tp_ip_backlog_recv(struct sock *sk, struct sk_buff *skb)
 {
 	int rc;
 
-	if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
-		goto drop;
-
-	nf_reset(skb);
-
 	/* Charge it to the socket, dropping if the queue is full. */
 	rc = sock_queue_rcv_skb(sk, skb);
 	if (rc < 0)
-- 
1.7.0.4

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH 1/1] l2tp: l2tp_ip - fix possible oops on packet receive
  2012-01-25 12:39 [PATCH 1/1] l2tp: l2tp_ip - fix possible oops on packet receive James Chapman
@ 2012-01-25 13:06 ` Eric Dumazet
  2012-01-26  2:45   ` David Miller
  0 siblings, 1 reply; 3+ messages in thread
From: Eric Dumazet @ 2012-01-25 13:06 UTC (permalink / raw)
  To: James Chapman; +Cc: netdev, alex, Ben Hutchings

Le mercredi 25 janvier 2012 à 12:39 +0000, James Chapman a écrit :
> When a packet is received on an L2TP IP socket (L2TPv3 IP link
> encapsulation), the l2tpip socket's backlog_rcv function calls
> xfrm4_policy_check(). This is not necessary, since it was called
> before the skb was added to the backlog. With CONFIG_NET_NS enabled,
> xfrm4_policy_check() will oops if skb->dev is null, so this trivial
> patch removes the call.
> 
> This bug has always been present, but only when CONFIG_NET_NS is
> enabled does it cause problems. Most users are probably using UDP
> encapsulation for L2TP, hence the problem has only recently
> surfaced.
> 
...
> Signed-off-by: James Chapman <jchapman@katalix.com>
> 
> ---

Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: alex <alex@m3x.org>
Cc: Ben Hutchings <ben@decadent.org.uk>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH 1/1] l2tp: l2tp_ip - fix possible oops on packet receive
  2012-01-25 13:06 ` Eric Dumazet
@ 2012-01-26  2:45   ` David Miller
  0 siblings, 0 replies; 3+ messages in thread
From: David Miller @ 2012-01-26  2:45 UTC (permalink / raw)
  To: eric.dumazet; +Cc: jchapman, netdev, alex, ben

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Wed, 25 Jan 2012 14:06:57 +0100

> Le mercredi 25 janvier 2012 à 12:39 +0000, James Chapman a écrit :
>> When a packet is received on an L2TP IP socket (L2TPv3 IP link
>> encapsulation), the l2tpip socket's backlog_rcv function calls
>> xfrm4_policy_check(). This is not necessary, since it was called
>> before the skb was added to the backlog. With CONFIG_NET_NS enabled,
>> xfrm4_policy_check() will oops if skb->dev is null, so this trivial
>> patch removes the call.
>> 
>> This bug has always been present, but only when CONFIG_NET_NS is
>> enabled does it cause problems. Most users are probably using UDP
>> encapsulation for L2TP, hence the problem has only recently
>> surfaced.
>> 
> ...
>> Signed-off-by: James Chapman <jchapman@katalix.com>
>> 
>> ---
> 
> Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: alex <alex@m3x.org>
> Cc: Ben Hutchings <ben@decadent.org.uk>

Applied and queued up for -stable, thanks.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2012-01-26  2:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-01-25 12:39 [PATCH 1/1] l2tp: l2tp_ip - fix possible oops on packet receive James Chapman
2012-01-25 13:06 ` Eric Dumazet
2012-01-26  2:45   ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).