From: Kamal Mostafa <kamal@canonical.com>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
kernel-team@lists.ubuntu.com
Cc: "François CACHEREUL" <f.cachereul@alphalink.fr>,
"David S. Miller" <davem@davemloft.net>,
"Kamal Mostafa" <kamal@canonical.com>
Subject: [PATCH 3.8 14/91] l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
Date: Thu, 7 Nov 2013 18:14:29 -0800 [thread overview]
Message-ID: <1383876946-2396-15-git-send-email-kamal@canonical.com> (raw)
In-Reply-To: <1383876946-2396-1-git-send-email-kamal@canonical.com>
3.8.13.13 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Fran=C3=A7ois=20Cachereul?= <f.cachereul@alphalink.fr>
[ Upstream commit e18503f41f9b12132c95d7c31ca6ee5155e44e5c ]
IPv4 mapped addresses cause kernel panic.
The patch juste check whether the IPv6 address is an IPv4 mapped
address. If so, use IPv4 API instead of IPv6.
[ 940.026915] general protection fault: 0000 [#1]
[ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse
[ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1
[ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000
[ 940.026915] RIP: 0010:[<ffffffff81333780>] [<ffffffff81333780>] ip6_xmit+0x276/0x326
[ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286
[ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000
[ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40
[ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90
[ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0
[ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580
[ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000
[ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0
[ 940.026915] Stack:
[ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020
[ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800
[ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020
[ 940.026915] Call Trace:
[ 940.026915] [<ffffffff81356cc3>] ? inet6_csk_xmit+0xa4/0xc4
[ 940.026915] [<ffffffffa0038535>] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core]
[ 940.026915] [<ffffffff812b8d3b>] ? pskb_expand_head+0x161/0x214
[ 940.026915] [<ffffffffa003e91d>] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp]
[ 940.026915] [<ffffffffa00292e0>] ? ppp_channel_push+0x36/0x8b [ppp_generic]
[ 940.026915] [<ffffffffa00293fe>] ? ppp_write+0xaf/0xc5 [ppp_generic]
[ 940.026915] [<ffffffff8110ead4>] ? vfs_write+0xa2/0x106
[ 940.026915] [<ffffffff8110edd6>] ? SyS_write+0x56/0x8a
[ 940.026915] [<ffffffff81378ac0>] ? system_call_fastpath+0x16/0x1b
[ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49
8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02
00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51
[ 940.026915] RIP [<ffffffff81333780>] ip6_xmit+0x276/0x326
[ 940.026915] RSP <ffff88000737fd28>
[ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]---
[ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt
Signed-off-by: François CACHEREUL <f.cachereul@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++----
net/l2tp/l2tp_core.h | 3 +++
2 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 2ac884d..8861e9f 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -517,6 +517,7 @@ out:
static inline int l2tp_verify_udp_checksum(struct sock *sk,
struct sk_buff *skb)
{
+ struct l2tp_tunnel *tunnel = (struct l2tp_tunnel *)sk->sk_user_data;
struct udphdr *uh = udp_hdr(skb);
u16 ulen = ntohs(uh->len);
__wsum psum;
@@ -525,7 +526,7 @@ static inline int l2tp_verify_udp_checksum(struct sock *sk,
return 0;
#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == PF_INET6) {
+ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) {
if (!uh->check) {
LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n");
return 1;
@@ -1088,7 +1089,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
/* Queue the packet to IP for output */
skb->local_df = 1;
#if IS_ENABLED(CONFIG_IPV6)
- if (skb->sk->sk_family == PF_INET6)
+ if (skb->sk->sk_family == PF_INET6 && !tunnel->v4mapped)
error = inet6_csk_xmit(skb, NULL);
else
#endif
@@ -1221,7 +1222,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
/* Calculate UDP checksum if configured to do so */
#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == PF_INET6)
+ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
l2tp_xmit_ipv6_csum(sk, skb, udp_len);
else
#endif
@@ -1624,6 +1625,24 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
if (cfg != NULL)
tunnel->debug = cfg->debug;
+#if IS_ENABLED(CONFIG_IPV6)
+ if (sk->sk_family == PF_INET6) {
+ struct ipv6_pinfo *np = inet6_sk(sk);
+
+ if (ipv6_addr_v4mapped(&np->saddr) &&
+ ipv6_addr_v4mapped(&np->daddr)) {
+ struct inet_sock *inet = inet_sk(sk);
+
+ tunnel->v4mapped = true;
+ inet->inet_saddr = np->saddr.s6_addr32[3];
+ inet->inet_rcv_saddr = np->rcv_saddr.s6_addr32[3];
+ inet->inet_daddr = np->daddr.s6_addr32[3];
+ } else {
+ tunnel->v4mapped = false;
+ }
+ }
+#endif
+
/* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
tunnel->encap = encap;
if (encap == L2TP_ENCAPTYPE_UDP) {
@@ -1631,7 +1650,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
udp_sk(sk)->encap_type = UDP_ENCAP_L2TPINUDP;
udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv;
#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == PF_INET6)
+ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
udpv6_encap_enable();
else
#endif
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index e62204c..8d6a048 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -190,6 +190,9 @@ struct l2tp_tunnel {
struct sock *sock; /* Parent socket */
int fd; /* Parent fd, if tunnel socket
* was created by userspace */
+#if IS_ENABLED(CONFIG_IPV6)
+ bool v4mapped;
+#endif
uint8_t priv[0]; /* private data */
};
--
1.8.1.2
next prev parent reply other threads:[~2013-11-08 2:14 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-08 2:14 [3.8.y.z extended stable] Linux 3.8.13.13 stable review Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 01/91] ACPICA: Interpreter: Fix Store() when implicit conversion is not possible Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 02/91] ACPICA: DeRefOf operator: Update to fully resolve FieldUnit and BufferField refs Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 03/91] ACPICA: Return error if DerefOf resolves to a null package element Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 04/91] ACPICA: Fix for a Store->ArgX when ArgX contains a reference to a field Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 05/91] vxlan: fix ip_select_ident skb parameter Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 06/91] tcp: TSO packets automatic sizing Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 07/91] tcp: TSQ can use a dynamic limit Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 08/91] net: Add skb_unclone() helper function Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 09/91] ipv6: fix warning in xfrm6_mode_tunnel_input Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 10/91] ip: fix warning in xfrm4_mode_tunnel_input Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 11/91] tcp: must unclone packets before mangling them Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 12/91] tcp: do not forget FIN in tcp_shifted_skb() Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 13/91] net: do not call sock_put() on TIMEWAIT sockets Kamal Mostafa
2013-11-08 2:14 ` Kamal Mostafa [this message]
2013-11-08 2:14 ` [PATCH 3.8 15/91] l2tp: Fix build warning with ipv6 disabled Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 16/91] net: mv643xx_eth: update statistics timer from timer context only Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 17/91] net: mv643xx_eth: fix orphaned statistics timer crash Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 18/91] net: heap overflow in __audit_sockaddr() Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 19/91] proc connector: fix info leaks Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 20/91] ipv4: fix ineffective source address selection Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 21/91] can: dev: fix nlmsg size calculation in can_get_size() Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 22/91] net: secure_seq: Fix warning when CONFIG_IPV6 and CONFIG_INET are not selected Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 23/91] xen-netback: Don't destroy the netdev until the vif is shut down Kamal Mostafa
2013-11-08 9:53 ` Ian Campbell
2013-11-08 17:54 ` Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 24/91] net: vlan: fix nlmsg size calculation in vlan_get_size() Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 25/91] vti: get rid of nf mark rule in prerouting Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 26/91] l2tp: must disable bh before calling l2tp_xmit_skb() Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 27/91] farsync: fix info leak in ioctl Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 28/91] unix_diag: fix info leak Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 29/91] connector: use nlmsg_len() to check message length Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 30/91] virtio-net: don't respond to cpu hotplug notifier if we're not ready Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 31/91] bridge: Correctly clamp MAX forward_delay when enabling STP Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 32/91] net: dst: provide accessor function to dst->xfrm Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 33/91] sctp: Use software crc32 checksum when xfrm transform will happen Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 34/91] sctp: Perform software checksum if packet has to be fragmented Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 35/91] wanxl: fix info leak in ioctl Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 36/91] net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 37/91] net: fix cipso packet validation when !NETLABEL Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 38/91] inet: fix possible memory corruption with UDP_CORK and UFO Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 39/91] davinci_emac.c: Fix IFF_ALLMULTI setup Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 40/91] jfs: fix error path in ialloc Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 41/91] cfg80211: fix warning when using WEXT for IBSS Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 42/91] mac80211: drop spoofed packets in ad-hoc mode Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 43/91] mac80211: use sta_info_get_bss() for nl80211 tx and client probing Kamal Mostafa
2013-11-08 2:14 ` [PATCH 3.8 44/91] mac80211: update sta->last_rx on acked tx frames Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 45/91] mwifiex: fix SDIO interrupt lost issue Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 46/91] ath9k: fix tx queue scheduling after channel changes Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 47/91] libata: make ata_eh_qc_retry() bump scmd->allowed on bogus failures Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 48/91] mac80211: correctly close cancelled scans Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 49/91] can: flexcan: fix mx28 detection by rearanging OF match table Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 50/91] rtlwifi: rtl8192cu: Fix error in pointer arithmetic Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 51/91] wireless: radiotap: fix parsing buffer overrun Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 52/91] mac80211: fix crash if bitrate calculation goes wrong Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 53/91] drm/vmwgfx: Don't put resources with invalid id's on lru list Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 54/91] drm/vmwgfx: Don't kill clients on VT switch Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 55/91] ecryptfs: Fix memory leakage in keystore.c Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 56/91] drm: Prevent overwriting from userspace underallocating core ioctl structs Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 57/91] drm: Pad drm_mode_get_connector to 64-bit boundary Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 58/91] drm/radeon/atom: workaround vbios bug in transmitter table on rs780 Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 59/91] md: Fix skipping recovery for read-only arrays Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 60/91] md: avoid deadlock when md_set_badblocks Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 61/91] raid5: set bio bi_vcnt 0 for discard request Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 62/91] raid5: avoid finding "discard" stripe Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 63/91] target/pscsi: fix return value check Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 64/91] vhost/scsi: Fix incorrect usage of get_user_pages_fast write parameter Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 65/91] parisc: Do not crash 64bit SMP kernels on machines with >= 4GB RAM Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 66/91] dmi: add support for exact DMI matches in addition to substring matching Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 67/91] clk: fixup argument order when setting VCO parameters Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 68/91] xtensa: don't use alternate signal stack on threads Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 69/91] ALSA: hda - Fix unbalanced runtime PM refcount after S3/S4 Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 70/91] ASoC: dapm: Fix source list debugfs outputs Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 71/91] drm/i915: quirk away phantom LVDS on Intel's D510MO mainboard Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 72/91] drm/i915: quirk away phantom LVDS on Intel's D525MW mainboard Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 73/91] drm/i915: No LVDS hardware on Intel D410PT and D425KT Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 74/91] mm: Wait for THP migrations to complete during NUMA hinting faults Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 75/91] mm: numa: cleanup flow of transhuge page migration Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 76/91] mm: Prevent parallel splits during THP migration Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 77/91] mm: numa: Sanitize task_numa_fault() callsites Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 78/91] mm: Close races between THP migration and PMD numa clearing Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 79/91] mm: Account for a THP NUMA hinting update as one PTE update Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 80/91] Fix a few incorrectly checked [io_]remap_pfn_range() calls Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 81/91] ALSA: hda - Add a fixup for ASUS N76VZ Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 82/91] ASoC: wm_hubs: Add missing break in hp_supply_event() Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 83/91] uml: check length in exitcode_proc_write() Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 84/91] staging: ozwpan: prevent overflow in oz_cdev_write() Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 85/91] aacraid: missing capable() check in compat ioctl Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 86/91] staging: wlags49_h2: buffer overflow setting station name Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 87/91] Staging: bcm: info leak in ioctl Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 88/91] Staging: sb105x: info leak in mp_get_count() Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 89/91] ALSA: fix oops in snd_pcm_info() caused by ASoC DPCM Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 90/91] lib/scatterlist.c: don't flush_kernel_dcache_page on slab page Kamal Mostafa
2013-11-08 2:15 ` [PATCH 3.8 91/91] scripts/kallsyms: filter symbols not in kernel address space Kamal Mostafa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1383876946-2396-15-git-send-email-kamal@canonical.com \
--to=kamal@canonical.com \
--cc=davem@davemloft.net \
--cc=f.cachereul@alphalink.fr \
--cc=kernel-team@lists.ubuntu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox