Re: [PATCH net] l2tp: fix a sock refcnt leak in l2tp_tunnel_register

is patch is to fix it by holding the sock after doing the > existence check. > Nice fix. Thanks Xin! Reviewed-by: Guillaume Nault

Re: [PATCH net] pppoe: fix reception of frames with no mac header

On Fri, Sep 14, 2018 at 04:28:05PM +0200, Guillaume Nault wrote: > pppoe_rcv() needs to look back at the Ethernet header in order to > lookup the PPPoE session. Therefore we need to ensure that the mac > header is big enough to contain an Ethernet header. Otherwise > eth_hdr(skb)->

[PATCH net] pppoe: fix reception of frames with no mac header

430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 == Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers") Reported-by: syzbot+f5f6080811c849739...@syzkaller.appspotmail.com Signed-off-by: Guillaume Nault ---

Re: [PATCH net] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()

On Sun, Aug 05, 2018 at 01:24:13PM +0200, Guillaume Nault wrote: > On Fri, Aug 03, 2018 at 12:42:22PM -0700, David Miller wrote: > > From: Guillaume Nault > > Date: Fri, 3 Aug 2018 17:00:11 +0200 > > > > > If 'session' is not NULL and is not a PPP pseudo-wi

Re: [PATCH net] l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache

On Thu, Aug 09, 2018 at 11:54:05AM -0700, Wei Wang wrote: > From: Wei Wang > > In l2tp code, if it is a L2TP_UDP_ENCAP tunnel, tunnel->sk points to a > UDP socket. User could call sendmsg() on both this tunnel and the UDP > socket itself concurrently. As l2tp_xmit_skb() holds socket lock and

[PATCH net-next 5/8] l2tp: remove pppol2tp_tunnel_ioctl()

the value that was originally passed in 'stats.session_id', while session sockets have to report their own session_id. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_ppp.c | 132 ++-- 1 file changed, 53 insertions(+), 79 deletions(-) diff --git a/net/l2tp/l2t

[PATCH net-next 3/8] l2tp: simplify pppol2tp_ioctl()

reference on the socket. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_ppp.c | 33 ++--- 1 file changed, 6 insertions(+), 27 deletions(-) diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index cd43d02484e4..e3ed8d473d91 100644 --- a/net/l2tp/l2tp_ppp.c +++ b

[PATCH net-next 8/8] l2tp: let pppol2tp_ioctl() fallback to dev_ioctl()

Return -ENOIOCTLCMD for unknown ioctl commands. This lets dev_ioctl() handle generic socket ioctls like SIOCGIFNAME or SIOCGIFINDEX. PF_PPPOX/PX_PROTO_OL2TP was one of the few socket types not honouring this mechanism. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_ppp.c | 2 +- 1 file

[PATCH net-next 1/8] l2tp: define l2tp_tunnel_uses_xfrm()

Use helper function to figure out if a tunnel is using ipsec. Also, avoid accessing ->sk_policy directly since it's RCU protected. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_core.h| 19 +++ net/l2tp/l2tp_netlink.c | 7 +-- net/l2tp/l2tp_ppp.c | 5 +

[PATCH net-next 0/8] l2tp: rework pppol2tp ioctl handling

and it is always nice to see l2tp getting better integration with the rest of the stack. Guillaume Nault (8): l2tp: define l2tp_tunnel_uses_xfrm() l2tp: split l2tp_session_get() l2tp: simplify pppol2tp_ioctl() l2tp: handle PPPIOC[GS]MRU and PPPIOC[GS]FLAGS in pppol2tp_ioctl() l2tp: remove

[PATCH net-next 7/8] l2tp: zero out stats in pppol2tp_copy_stats()

Integrate memset(0) in pppol2tp_copy_stats() to avoid calling it manually every time. While there, constify 'stats'. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_ppp.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index

[PATCH net-next 2/8] l2tp: split l2tp_session_get()

provide both a namespace and a tunnel, making the semantic of the call unclear. This patch defines l2tp_tunnel_get_session() for lookups done in a tunnel and restricts l2tp_session_get() to namespace searches. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_core.c| 50

[PATCH net-next 6/8] l2tp: remove pppol2tp_session_ioctl()

ed-off-by: Guillaume Nault --- include/uapi/linux/ppp-ioctl.h | 2 +- net/l2tp/l2tp_ppp.c| 50 ++ 2 files changed, 4 insertions(+), 48 deletions(-) diff --git a/include/uapi/linux/ppp-ioctl.h b/include/uapi/linux/ppp-ioctl.h index 784c2e3e572e..88b5f9

[PATCH net-next 4/8] l2tp: handle PPPIOC[GS]MRU and PPPIOC[GS]FLAGS in pppol2tp_ioctl()

Let pppol2tp_ioctl() handle ioctl commands directly. It still relies on pppol2tp_{session,tunnel}_ioctl() for PPPIOCGL2TPSTATS. Signed-off-by: Guillaume Nault --- Checkpatch does not like the -ENOSYS return value, which should only be used for non-existing syscalls. I have kept them so

Re: [PATCH net] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()

On Fri, Aug 03, 2018 at 12:42:22PM -0700, David Miller wrote: > From: Guillaume Nault > Date: Fri, 3 Aug 2018 17:00:11 +0200 > > > If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to > > drop the reference taken by l2tp_session_get(). > > >

[PATCH net] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()

If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to drop the reference taken by l2tp_session_get(). Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()") Signed-off-by: Guillaume Nault --- Sorry for the stupid mistake. I guess I g

[PATCH net-next 3/3] l2tp: ignore L2TP_ATTR_MTU

y). So let's just ignore it entirely. Signed-off-by: Guillaume Nault --- include/uapi/linux/l2tp.h | 2 +- net/l2tp/l2tp_core.c | 1 - net/l2tp/l2tp_core.h | 2 -- net/l2tp/l2tp_debugfs.c | 3 +-- net/l2tp/l2tp_eth.c | 17 +++-- net/l2tp/l2tp_netlink.c | 9

[PATCH net-next 1/3] l2tp: define l2tp_tunnel_dst_mtu()

Consolidate retrieval of tunnel's socket mtu in order to simplify l2tp_eth and l2tp_ppp a bit. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_core.h | 18 ++ net/l2tp/l2tp_eth.c | 14 -- net/l2tp/l2tp_ppp.c | 15 --- 3 files changed, 26 insertions

[PATCH net-next 2/3] l2tp: simplify MTU handling in l2tp_ppp

off-by: Guillaume Nault --- net/l2tp/l2tp_ppp.c | 67 - 1 file changed, 18 insertions(+), 49 deletions(-) diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index 1c6da02f976a..b403728e2757 100644 --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_pp

[PATCH net-next 0/3] l2tp: sanitise MTU handling on sessions

l_dst_mtu() in order to simplify the following patches. Then patches #2 and #3 remove MTU handling from PPP and Ethernet pseudo-wires respectively. Guillaume Nault (3): l2tp: define l2tp_tunnel_dst_mtu() l2tp: simplify MTU handling in l2tp_ppp l2tp: ignore L2TP_ATTR_MTU include/uapi/linux/l2

Re: [PATCH iproute2 0/3] l2tp: remove unused fields in struct l2tp_parm

On Fri, Jul 27, 2018 at 07:57:12AM -0700, Stephen Hemminger wrote: > On Fri, 27 Jul 2018 12:26:28 +0200 > Guillaume Nault wrote: > > > Several fields of struct l2tp_parm are handled by create_session() but > > can't actually be set by user. > > Most of t

[PATCH iproute2 0/3] l2tp: remove unused fields in struct l2tp_parm

Several fields of struct l2tp_parm are handled by create_session() but can't actually be set by user. Most of these fields can also be set by get_response(), but are ignored afterwards. Since these fields can't have any visible effect, let's just remove them. Guillaume Nault (3): l2tp: drop

[PATCH iproute2 3/3] l2tp: drop lns_mode

This option is never set. Signed-off-by: Guillaume Nault --- ip/ipl2tp.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/ip/ipl2tp.c b/ip/ipl2tp.c index 41fefb85..5e7f0390 100644 --- a/ip/ipl2tp.c +++ b/ip/ipl2tp.c @@ -58,7 +58,6 @@ struct l2tp_parm { unsigned int udp_csum:1

[PATCH iproute2 2/3] l2tp: drop mtu

This option can't be set by user and is never printed. Signed-off-by: Guillaume Nault --- ip/ipl2tp.c | 5 - 1 file changed, 5 deletions(-) diff --git a/ip/ipl2tp.c b/ip/ipl2tp.c index aca9912c..41fefb85 100644 --- a/ip/ipl2tp.c +++ b/ip/ipl2tp.c @@ -53,7 +53,6 @@ struct l2tp_parm

[PATCH iproute2 1/3] l2tp: drop data_seq

This option can't be set by user and is never printed. Furthermore, L2TP_ATTR_DATA_SEQ has always been a noop in Linux. Signed-off-by: Guillaume Nault --- ip/ipl2tp.c | 5 - 1 file changed, 5 deletions(-) diff --git a/ip/ipl2tp.c b/ip/ipl2tp.c index 05e96387..aca9912c 100644 --- a/ip

[PATCH net-next 4/4] l2tp: drop ->mru from struct l2tp_session

This field is not used. Treat PPPIOC*MRU the same way as PPPIOC*FLAGS: "get" requests return 0, while "set" requests vadidate the user supplied pointer but discard its value. Signed-off-by: Guillaume Nault --- include/uapi/linux/l2tp.h | 2 +- net/l2tp/l2tp_core.c

[PATCH net-next 0/4] l2tp: remove unused session fields

Several fields of the session structures can be set, but remain unused otherwise. This series removes these fields and explicitely ignores the associated ioctls and netlink attributes. Guillaume Nault (4): l2tp: ignore L2TP_ATTR_DATA_SEQ netlink attribute l2tp: ignore L2TP_ATTR_VLAN_ID

[PATCH net-next 3/4] l2tp: drop ->flags from struct pppol2tp_session

This field is not used. Keep validating user input in PPPIOCSFLAGS. Even though we discard the value, it would look wrong to succeed if an invalid address was passed from userspace. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_ppp.c | 13 ++--- 1 file changed, 2 insertions(+), 11

[PATCH net-next 1/4] l2tp: ignore L2TP_ATTR_DATA_SEQ netlink attribute

The value of this attribute is never used. Signed-off-by: Guillaume Nault --- include/uapi/linux/l2tp.h | 7 --- net/l2tp/l2tp_core.h | 8 net/l2tp/l2tp_debugfs.c | 4 +--- net/l2tp/l2tp_netlink.c | 6 -- 4 files changed, 5 insertions(+), 20 deletions(-) diff --git

[PATCH net-next 2/4] l2tp: ignore L2TP_ATTR_VLAN_ID netlink attribute

The value of this attribute is never used. Signed-off-by: Guillaume Nault --- include/uapi/linux/l2tp.h | 4 ++-- net/l2tp/l2tp_core.h | 1 - net/l2tp/l2tp_netlink.c | 3 --- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/include/uapi/linux/l2tp.h b/include/uapi/linux

Re: [PATCH net-next] l2tp: remove ->recv_payload_hook

On Wed, Jul 25, 2018 at 02:53:33PM +0200, Guillaume Nault wrote: > The tunnel reception hook is only used by l2tp_ppp for skipping PPP > framing bytes. This is a session specific operation, but once a PPP > session sets ->recv_payload_hook on its tunnel, all frames received by

[PATCH net-next] l2tp: remove ->recv_payload_hook

net sessions (an L2TPv3 tunnel can multiplex PPP and Ethernet sessions). So this mechanism is wrong, and uselessly complex. Let's just move this functionality to the pppol2tp rx handler and drop ->recv_payload_hook. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_core.c | 16 ---

[PATCH net-next] l2tp: define helper for parsing struct sockaddr_pppol2tp*

(). A new structure, l2tp_connect_info, is used to pass sockaddr data back to pppol2tp_connect(), to avoid passing too many parameters to l2tp_sockaddr_get_info(). Also, the first parameter is void* in order to avoid casting between all sockaddr_* structures manually. Signed-off-by: Guillaume Nault

[PATCH net-next 4/7] l2tp: don't export l2tp_session_queue_purge()

This function is only used in l2tp_core.c. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_core.c | 3 +-- net/l2tp/l2tp_core.h | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index 40261cb68e83..3adef4c35a3a 100644 --- a/net

[PATCH net-next 5/7] l2tp: don't export l2tp_tunnel_closeall()

This function is only used in l2tp_core.c. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_core.c | 3 +-- net/l2tp/l2tp_core.h | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index 3adef4c35a3a..96e31f2ae7cd 100644 --- a/net

[PATCH net-next 2/7] l2tp: remove .show from struct l2tp_tunnel

This callback has never been implemented. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_core.h| 3 --- net/l2tp/l2tp_debugfs.c | 3 --- 2 files changed, 6 deletions(-) diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h index c199020f8a8a..b21c20a4e08f 100644 --- a/net/l2tp

[PATCH net-next 7/7] l2tp: make l2tp_xmit_core() return void

It always returns 0, and nobody reads the return value anyway. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_core.c | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index 88c3001531b4..1ea285bad84b 100644 --- a/net/l2tp

[PATCH net-next 1/7] l2tp: remove pppol2tp_session_close()

l2tp_core.c verifies that ->session_close() is defined before calling it. There's no need for a stub. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_ppp.c | 7 --- 1 file changed, 7 deletions(-) diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index 55188382845c..eea5d7844

[PATCH net-next 6/7] l2tp: avoid duplicate l2tp_pernet() calls

Replace 'l2tp_pernet(tunnel->l2tp_net)' with 'pn', which has been set on the preceding line. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index 96e31f2ae7cd..88c300153

[PATCH net-next 3/7] l2tp: remove l2tp_tunnel_priv()

This function, and the associated .priv field, are unused. Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_core.h | 7 --- 1 file changed, 7 deletions(-) diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h index b21c20a4e08f..15e1171ecf7b 100644 --- a/net/l2tp/l2tp_core.h +++ b/net

[PATCH net-next 0/7] l2tp: trivial cleanups

Just a set of unrelated trivial cleanups (remove unused code, make local functions static, etc.). Guillaume Nault (7): l2tp: remove pppol2tp_session_close() l2tp: remove .show from struct l2tp_tunnel l2tp: remove l2tp_tunnel_priv() l2tp: don't export l2tp_session_queue_purge() l2tp

[PATCH net 2/2] l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()

() points to an l2tp_eth_sess structure instead, making pppol2tp_session_ioctl() access invalid memory. Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support") Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_ppp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

[PATCH net 0/2] l2tp: l2tp_ppp must ignore non-PPP sessions

tunnels can only transport PPP sessions is right, but l2tp_netlink failed to ensure that (fixed in patch 1). When retrieving a session from an arbitrary tunnel, l2tp_ppp needs to filter out non-PPP sessions (last occurrence fixed in patch 2). Guillaume Nault (2): l2tp: reject creation of non-PPP

[PATCH net 1/2] l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels

2tp: Add L2TP ethernet pseudowire support") Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_netlink.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c index 6616c9fd292f..5b9900889e31 100644 --- a/net/l2tp/l2tp_netlink.c +

[PATCH net 1/4] l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect()

, pppol2tp_connect() should refuse to connect a session that is not PPPoL2TP, but that requires the session's .pwtype field to be properly set. Fixes: f7faffa3ff8e ("l2tp: Add L2TPv3 protocol support") Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_ppp.c | 1 + 1 file changed, 1 insertion(+) diff -

[PATCH net 3/4] l2tp: prevent pppol2tp_connect() from creating kernel sockets

there's no way to get them from the current connect() parameters. So let's restrict kernel sockets creation to the netlink API, which is the original use case. Fixes: 789a4a2c61d8 ("l2tp: Add support for static unmanaged L2TPv3 tunnels") Signed-off-by: Guillaume Nault --- net/l2tp/l2tp

[PATCH net 0/4] l2tp: pppol2tp_connect() fixes

. It depends on patch 1 for correctly identifying L2TP session types. Patches 3 and 4 avoid creating stale tunnels and sessions. Guillaume Nault (4): l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect() l2tp: only accept PPP sessions in pppol2tp_connect() l2tp: prevent

[PATCH net 2/4] l2tp: only accept PPP sessions in pppol2tp_connect()

memory dereference when trying to lock ps->sk_lock. Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support") Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_ppp.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index

[PATCH net 4/4] l2tp: clean up stale tunnel or session in pppol2tp_connect's error path

pppol2tp_connect() may create a tunnel or a session. Remove them in case of error. Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_ppp.c | 10 ++ 1 file changed, 10 insertions(+) diff --git

Re: [PATCH net] l2tp: fix refcount leakage on PPPoL2TP sockets

On Tue, Jun 05, 2018 at 09:41:24AM -0400, David Miller wrote: > From: Guillaume Nault > Date: Mon, 4 Jun 2018 18:52:19 +0200 > > > Commit d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session > > object destroy") tried to fix a race condition where a PPPo

[PATCH net] l2tp: fix refcount leakage on PPPoL2TP sockets

nnected. Fixes: d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session object destroy") Signed-off-by: Guillaume Nault --- net/l2tp/l2tp_ppp.c | 35 +-- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp

Re: [PATCH v2] ppp: remove the PPPIOCDETACH ioctl

table submissions himself. Using a 'PATCH net' subject prefix would have made it clear that this patch was fixing some released code and should be considered for -stable backport. Reviewed-by: Guillaume Nault <g.na...@alphalink.fr> Tested-by: Guillaume Nault <g.na...@alphalink.fr>

Re: [PATCH] ppp: remove the PPPIOCDETACH ioctl

On Tue, May 22, 2018 at 08:59:52PM -0700, Eric Biggers wrote: > From: Eric Biggers > > The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file > before f_count has reached 0, which is fundamentally a bad idea. It > does check 'f_count < 2', which excludes

Re: KASAN: use-after-free Read in remove_wait_queue (2)

On Tue, May 22, 2018 at 08:29:58PM -0700, Eric Biggers wrote: > On Fri, May 18, 2018 at 06:02:23PM +0200, Guillaume Nault wrote: > > On Sun, May 13, 2018 at 11:11:55PM -0700, Eric Biggers wrote: > > > [+ppp list and maintainer] > > > > > > This is a bug in ppp_

Re: KASAN: use-after-free Read in remove_wait_queue (2)

On Sun, May 13, 2018 at 11:11:55PM -0700, Eric Biggers wrote: > [+ppp list and maintainer] > > This is a bug in ppp_generic.c; it still happens on Linus' tree and it's > easily > reproducible, see program below. The bug is that the PPPIOCDETACH ioctl > doesn't > consider that the file can

Re: Request for -stable inclusion: time stamping fix for nfp

On Thu, May 17, 2018 at 02:09:03PM -0400, David Miller wrote: > From: Guillaume Nault <g.na...@alphalink.fr> > Date: Thu, 17 May 2018 19:41:47 +0200 > > > On Thu, Nov 16, 2017 at 10:13:28AM +0900, David Miller wrote: > >> From: Guillaume Nault <g.na...@alphalink.f

Re: Request for -stable inclusion: time stamping fix for nfp

On Thu, Nov 16, 2017 at 10:13:28AM +0900, David Miller wrote: > From: Guillaume Nault <g.na...@alphalink.fr> > Date: Wed, 15 Nov 2017 17:20:46 +0100 > > > Can you please queue commit 46f1c52e66db > > ("nfp: TX time stamp packets before HW doorbell is ru

Re: KASAN: out-of-bounds Read in ip6_xmit

On Tue, May 08, 2018 at 09:45:25PM -0700, Eric Biggers wrote: > On Sun, Jan 28, 2018 at 11:24:01AM -0800, syzbot wrote: > > Hello, > > > > syzbot hit the following crash on net-next commit > > 6bb46bc57c8e9ce947cc605e555b7204b44d2b10 (Fri Jan 26 16:00:23 2018 +) > > Merge branch

Re: [PATCH net] pppoe: check sockaddr length in pppoe_connect()

On Fri, Apr 27, 2018 at 06:24:24PM +0200, Guillaume Nault wrote: > exact consequences. That being said if you consider the risk is > sufficiently low, you can always submit the patch to net-next. Humm, forget it. I didn't see David's reply before answering.

Re: [PATCH net] pppoe: check sockaddr length in pppoe_connect()

On Fri, Apr 27, 2018 at 11:51:31AM -0400, Kevin Easton wrote: > On Fri, Apr 27, 2018 at 05:39:06PM +0200, Guillaume Nault wrote: > > On Fri, Apr 27, 2018 at 08:23:16AM -0400, Kevin Easton wrote: > ... > > > There's another bug here - pppoe_connect() should also be validatin

Re: [PATCH net-next] l2tp: consistent reference counting in procfs and debufs

On Fri, Apr 27, 2018 at 11:06:55AM -0400, David Miller wrote: > From: Guillaume Nault <g.na...@alphalink.fr> > Date: Wed, 25 Apr 2018 19:54:14 +0200 > > > The 'pppol2tp' procfs and 'l2tp/tunnels' debugfs files handle reference > > counting of sessions d

Re: [PATCH net] pppoe: check sockaddr length in pppoe_connect()

On Fri, Apr 27, 2018 at 08:23:16AM -0400, Kevin Easton wrote: > On Mon, Apr 23, 2018 at 04:38:27PM +0200, Guillaume Nault wrote: > > We must validate sockaddr_len, otherwise userspace can pass fewer data > > than we expect and we end up accessing invalid data. > > > >

[PATCH net-next] l2tp: consistent reference counting in procfs and debufs

(rather than in .show()). If necessary (if dump stops before *_next_session() returns NULL), drop the last reference in .stop(). Signed-off-by: Guillaume Nault <g.na...@alphalink.fr> --- net/l2tp/l2tp_debugfs.c | 20 +--- net/l2tp/l2tp_ppp.c | 21 + 2

[PATCH net-next] l2tp: centralise parsing of sockaddr_pppol2tp*

manually. Signed-off-by: Guillaume Nault <g.na...@alphalink.fr> --- net/l2tp/l2tp_ppp.c | 169 ++-- 1 file changed, 101 insertions(+), 68 deletions(-) This patch originates from an attempt to remove the '/* bad socket address */' else clause that became ob

Re: [PATCH] l2tp: fix l2tp_eth_dev_xmit()'s return type

On Tue, Apr 24, 2018 at 03:18:53PM +0200, Luc Van Oostenryck wrote: > The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', > which is a typedef for an enum type, but the implementation in this > driver returns an 'int'. > > Fix this by returning 'netdev_tx_t' in this driver too.

Re: [PATCH net] l2tp: check sockaddr length in pppol2tp_connect()

On Mon, Apr 23, 2018 at 09:11:22PM -0400, David Miller wrote: > From: Guillaume Nault <g.na...@alphalink.fr> > Date: Mon, 23 Apr 2018 16:15:14 +0200 > > > Check sockaddr_len before dereferencing sp->sa_protocol, to ensure that > > it actually points to valid data

Re: KMSAN: uninit-value in strnlen

On Mon, Apr 23, 2018 at 01:23:01AM -0700, syzbot wrote: > Hello, > > syzbot hit the following crash on https://github.com/google/kmsan.git/master > commit > a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +) > kmsan: disable assembly checksums > syzbot dashboard link: >

[PATCH net] pppoe: check sockaddr length in pppoe_connect()

We must validate sockaddr_len, otherwise userspace can pass fewer data than we expect and we end up accessing invalid data. Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers") Reported-by: syzbot+4f03bdf92fdf9ef5d...@syzkaller.appspotmail.com Signed-off-by: Guillaume Nault <g.na...

[PATCH net] l2tp: check sockaddr length in pppol2tp_connect()

Check sockaddr_len before dereferencing sp->sa_protocol, to ensure that it actually points to valid data. Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Reported-by: syzbot+a70ac890b23b1bf29...@syzkaller.appspotmail.com Signed-off-by: Guillaum

[PATCH net] l2tp: fix {pppol2tp,l2tp_dfs}_seq_stop() in case of seq_file overflow

non-NULL tunnel when pd->session is set. The l2tp_debugfs module has the same issue. Fix it in the same way. Fixes: 0e0c3fee3a59 ("l2tp: hold reference on tunnels printed in pppol2tp proc file") Fixes: f726214d9b23 ("l2tp: hold reference on tunnels printed in l2tp/tunnels debug

Re: [PATCH net 1/3] l2tp: hold reference on tunnels in netlink dumps

On Fri, Apr 13, 2018 at 10:57:03AM -0400, David Miller wrote: > From: Guillaume Nault <g.na...@alphalink.fr> > Date: Thu, 12 Apr 2018 20:50:33 +0200 > > > l2tp_tunnel_find_nth() is unsafe: no reference is held on the returned > > tunnel, therefore it can be fre

[PATCH net 2/3] l2tp: hold reference on tunnels printed in pppol2tp proc file

reference. However, in case of error, pppol2tp_seq_stop() is called directly, so we have to drop the reference there. Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Guillaume Nault <g.na...@alphalink.fr> --- net/l2tp

[PATCH net 3/3] l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file

the last accessed tunnel in l2tp_dfs_seq_stop(). That was the last use of l2tp_tunnel_find_nth(). Fixes: 0ad6614048cf ("l2tp: Add debugfs files for dumping l2tp debug info") Signed-off-by: Guillaume Nault <g.na...@alphalink.fr> --- net/l2tp/l2tp_core.c| 20 --

[PATCH net 0/3] l2tp: remove unsafe calls to l2tp_tunnel_find_nth()

Using l2tp_tunnel_find_nth() is racy, because the returned tunnel can go away as soon as this function returns. This series introduce l2tp_tunnel_get_nth() as a safe replacement to fixes these races. With this series, all unsafe tunnel/session lookups are finally gone. Guillaume Nault (3

[PATCH net 1/3] l2tp: hold reference on tunnels in netlink dumps

using the tunnel. Convert netlink dumps to make them safe against concurrent tunnel deletion. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault <g.na...@alphalink.fr> --- net/l2tp/l2tp_core.c| 20 net/l2tp/l2t

[PATCH net 1/2] l2tp: fix races in tunnel creation

pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Guillaume Nault <g.na...@alphalink.fr> --- net/l2tp/l2tp_core.c| 192 ++-- net/l2tp/l2tp_core.h| 3 + net/l2tp/l2tp_netlink.c | 16 +++- net/l2tp/l2tp_ppp.c | 9 ++ 4

[PATCH net 0/2] l2tp: tunnel creation fixes

for duplicate tunnels in a race-free way. This is done in patch #2, which incidentally removes the last use of l2tp_tunnel_find(). Guillaume Nault (2): l2tp: fix races in tunnel creation l2tp: fix race in duplicate tunnel detection net/l2tp/l2tp_core.c| 225

[PATCH net 2/2] l2tp: fix race in duplicate tunnel detection

as it isn't use anywhere anymore. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault <g.na...@alphalink.fr> --- net/l2tp/l2tp_core.c| 35 ++- net/l2tp/l2tp_core.h| 1 - net/l2tp/l2tp_netlink.c | 6

Re: [PATCH] slip: Check if rstate is initialized before uncompressing

On Tue, Apr 10, 2018 at 11:28:10AM +0530, tejas...@codeaurora.org wrote: > On 2018-04-09 20:34, David Miller wrote: > > From: Tejaswi Tanikella > > Date: Mon, 9 Apr 2018 14:23:49 +0530 > > > > > @@ -673,6 +677,7 @@ struct slcompress * > > > if (cs->cs_tcp.doff > 5) > >

[PATCH iproute2] bridge: fix typo in hairpin error message

No 'g' to hairpin. Signed-off-by: Guillaume Nault <g.na...@alphalink.fr> --- bridge/link.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bridge/link.c b/bridge/link.c index 579d57e7..8d89aca2 100644 --- a/bridge/link.c +++ b/bridge/link.c @@ -312,7 +312,7 @@ stat

[PATCH iproute2] l2tp: no need to export session offsets in JSON output

The offset and peer_offset parameters are only printed to avoid confusing external scripts that may parse "ip l2tp show session" output. There's no reason to keep them in JSON. Signed-off-by: Guillaume Nault <g.na...@alphalink.fr> --- ip/ipl2tp.c | 5 +++-- 1 file changed, 3

Re: [PATCH iproute2] ip/l2tp: remove offset and peer-offset options

On Wed, Apr 04, 2018 at 04:43:10PM -0700, Stephen Hemminger wrote: > On Tue, 3 Apr 2018 17:39:54 +0200 > Guillaume Nault <g.na...@alphalink.fr> wrote: > > > Ignore options "peer-offset" and "offset" when creating sessions. Keep > > them when dumpi

[PATCH iproute2] ip/l2tp: remove offset and peer-offset options

Ignore options "peer-offset" and "offset" when creating sessions. Keep them when dumping sessions in order to avoid breaking external scripts. "peer-offset" has always been a noop in iproute2. "offset" is now ignored in Linux 4.16 (and was broken befor

Re: syzbot rcu/debugobjects warning

On Sat, Mar 24, 2018 at 11:29:42PM -0700, Joel Fernandes wrote: > On Fri, Mar 23, 2018 at 1:41 PM, Thomas Gleixner wrote: > > On Fri, 23 Mar 2018, Joel Fernandes wrote: > >> On Fri, Mar 23, 2018 at 2:11 AM, Thomas Gleixner > >> wrote: > >> > On Thu, 22

Re: l2tp stable request

On Thu, Mar 22, 2018 at 05:55:30PM -0700, Daniel Rosenberg wrote: > f3c66d4e144a0904ea9b95d23ed9f8eb38c11bfb        l2tp: prevent creation of > sessions on terminated tunnels > 9ee369a405c57613d7c83a3967780c3e30c52ecc        l2tp: initialise session's > refcount before making it reachable >

Re: Fw: [Bug 199109] New: pptp: kernel printk "recursion detected", and then reboot itself

On Wed, Mar 21, 2018 at 09:03:57AM +0800, xu heng wrote: > Yes, i have tested it for 146390 seconds in my board, it's ok now. Thanks! > Feel free to add your Tested-by tag to the patch if you want to. Thanks for your report. Guillaume BTW, for your future exchanges on the list, please avoid

Re: [PATCH net] ipv6: old_dport should be a __be16 in __ip6_datagram_connect()

old_dport; > int addr_type; > int err; > Acked-by: Guillaume Nault <g.na...@alphalink.fr>

[PATCH net] ppp: avoid loop in xmit recursion detection code

5454a565836 ("ppp: avoid dealock on recursive xmit") Signed-off-by: Guillaume Nault <g.na...@alphalink.fr> --- drivers/net/ppp/ppp_generic.c | 26 ++ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/

Re: Fw: [Bug 199109] New: pptp: kernel printk "recursion detected", and then reboot itself

On Fri, Mar 16, 2018 at 09:02:40PM +0100, Guillaume Nault wrote: > On Fri, Mar 16, 2018 at 02:49:40PM +0800, xu heng wrote: > > > > For testing, in __ppp_channel_push(), disable sending anything from > > the attached unit, just disable __ppp_xmit_process(ppp) in &

Re: Fw: [Bug 199109] New: pptp: kernel printk "recursion detected", and then reboot itself

On Fri, Mar 16, 2018 at 02:49:40PM +0800, xu heng wrote: > > For testing, in __ppp_channel_push(), disable sending anything from > the attached unit, just disable __ppp_xmit_process(ppp) in > __ppp_channel_push(). In my opinion, __ppp_xmit_process() should only called > by

Re: Fw: [Bug 199109] New: pptp: kernel printk "recursion detected", and then reboot itself

On Wed, Mar 14, 2018 at 08:02:17AM -0700, Stephen Hemminger wrote: > > > Begin forwarded message: > > Date: Wed, 14 Mar 2018 06:56:09 + > From: bugzilla-dae...@bugzilla.kernel.org > To: step...@networkplumber.org > Subject: [Bug 199109] New: pptp: kernel printk "recursion detected", and

Re: [PATCH net-next 1/6] net: Convert l2tp_net_ops

On Thu, Mar 15, 2018 at 12:10:57PM +0300, Kirill Tkhai wrote: > Init method is rather simple. Exit method queues del_work > for every tunnel from per-net list. This seems to be safe > to be marked async. > Acked-by: Guillaume Nault <g.na...@alphalink.fr>

Re: [PATCH net v3 0/2] l2tp: fix races with ipv4-mapped ipv6 addresses

eries: Reviewed-by: Guillaume Nault <g.na...@alphalink.fr>

Re: [PATCH net v2 2/2] l2tp: fix races with ipv4-mapped ipv6 addresses

On Mon, Mar 12, 2018 at 09:53:18AM +0100, Paolo Abeni wrote: > On Fri, 2018-03-09 at 19:26 +0100, Guillaume Nault wrote: > > On Fri, Mar 09, 2018 at 06:58:00PM +0100, Paolo Abeni wrote: > > > The single threaded reproducer does not trigger anymore after 1/2, > > > _but

Re: [PATCH net v2 2/2] l2tp: fix races with ipv4-mapped ipv6 addresses

On Fri, Mar 09, 2018 at 06:58:00PM +0100, Paolo Abeni wrote: > On Fri, 2018-03-09 at 18:47 +0100, Guillaume Nault wrote: > > On Fri, Mar 09, 2018 at 06:04:03PM +0100, Paolo Abeni wrote: > > > Hi, > > > > > > On Fri, 2018-03-09 at 17:43 +0100, Guillaume Nault wr

Re: [PATCH net v2 2/2] l2tp: fix races with ipv4-mapped ipv6 addresses

On Fri, Mar 09, 2018 at 06:04:03PM +0100, Paolo Abeni wrote: > Hi, > > On Fri, 2018-03-09 at 17:43 +0100, Guillaume Nault wrote: > > > diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c > > > index 83421c6f0bef..9726e3f37745 100644 > > > --- a/net/l

Re: [PATCH net v2 2/2] l2tp: fix races with ipv4-mapped ipv6 addresses

> diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c > index 83421c6f0bef..9726e3f37745 100644 > --- a/net/l2tp/l2tp_core.c > +++ b/net/l2tp/l2tp_core.c > @@ -1112,11 +1125,32 @@ int l2tp_xmit_skb(struct l2tp_session *session, > struct sk_buff *skb, int hdr_len > goto

Re: [PATCH net 2/2] l2tp: fix races with ipv4-mapped ipv6 addresses

On Thu, Mar 08, 2018 at 03:37:27PM +0100, Paolo Abeni wrote: > When creating a new socket, l2tp_tunnel_create() ensures that > such socket is connected, but when using a socket provided by > the user space, no check is done on the socket state. > > This may foul the later check for ipv6 sockets

Re: [PATCH net] l2tp: do not accept arbitrary sockets

On Tue, Mar 06, 2018 at 07:54:53AM -0800, Eric Dumazet wrote: > From: Eric Dumazet > > In another patch, we shall replace all pr_err() by less intrusive > pr_debug() so that syzkaller can find other bugs faster. > Or maybe just remove them entirely. These messages aren't

Re: [PATCH net] l2tp: do not accept arbitrary sockets

d, missing checks have been the source of so many reports. Acked-by: Guillaume Nault <g.na...@alphalink.fr>

  1   2   3   4   5   >