2019-06-04 16:11:33 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2020-07-23 00:32:06 +08:00
|
|
|
/* L2TP core.
|
2010-04-02 14:18:33 +08:00
|
|
|
*
|
|
|
|
* Copyright (c) 2008,2009,2010 Katalix Systems Ltd
|
|
|
|
*
|
|
|
|
* This file contains some code of the original L2TPv2 pppol2tp
|
|
|
|
* driver, which has the following copyright:
|
|
|
|
*
|
|
|
|
* Authors: Martijn van Oosterhout <kleptog@svana.org>
|
|
|
|
* James Chapman (jchapman@katalix.com)
|
|
|
|
* Contributors:
|
|
|
|
* Michal Ostrowski <mostrows@speakeasy.net>
|
|
|
|
* Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
|
|
|
|
* David S. Miller (davem@redhat.com)
|
|
|
|
*/
|
|
|
|
|
2012-05-16 17:55:56 +08:00
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
|
2010-04-02 14:18:33 +08:00
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/string.h>
|
|
|
|
#include <linux/list.h>
|
2010-04-02 14:19:16 +08:00
|
|
|
#include <linux/rculist.h>
|
2010-04-02 14:18:33 +08:00
|
|
|
#include <linux/uaccess.h>
|
|
|
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
#include <linux/kthread.h>
|
|
|
|
#include <linux/sched.h>
|
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <linux/errno.h>
|
|
|
|
#include <linux/jiffies.h>
|
|
|
|
|
|
|
|
#include <linux/netdevice.h>
|
|
|
|
#include <linux/net.h>
|
|
|
|
#include <linux/inetdevice.h>
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
#include <linux/init.h>
|
2010-04-02 14:19:00 +08:00
|
|
|
#include <linux/in.h>
|
2010-04-02 14:18:33 +08:00
|
|
|
#include <linux/ip.h>
|
|
|
|
#include <linux/udp.h>
|
2010-04-02 14:19:00 +08:00
|
|
|
#include <linux/l2tp.h>
|
2010-04-02 14:18:33 +08:00
|
|
|
#include <linux/hash.h>
|
|
|
|
#include <linux/sort.h>
|
|
|
|
#include <linux/file.h>
|
|
|
|
#include <linux/nsproxy.h>
|
|
|
|
#include <net/net_namespace.h>
|
|
|
|
#include <net/netns/generic.h>
|
|
|
|
#include <net/dst.h>
|
|
|
|
#include <net/ip.h>
|
|
|
|
#include <net/udp.h>
|
2014-07-14 10:49:48 +08:00
|
|
|
#include <net/udp_tunnel.h>
|
2010-04-02 14:19:10 +08:00
|
|
|
#include <net/inet_common.h>
|
2010-04-02 14:18:33 +08:00
|
|
|
#include <net/xfrm.h>
|
2010-04-02 14:19:00 +08:00
|
|
|
#include <net/protocol.h>
|
2012-04-27 16:24:18 +08:00
|
|
|
#include <net/inet6_connection_sock.h>
|
|
|
|
#include <net/inet_ecn.h>
|
|
|
|
#include <net/ip6_route.h>
|
2012-05-01 01:21:28 +08:00
|
|
|
#include <net/ip6_checksum.h>
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
#include <asm/byteorder.h>
|
2011-07-27 07:09:06 +08:00
|
|
|
#include <linux/atomic.h>
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
#include "l2tp_core.h"
|
2020-08-22 22:59:06 +08:00
|
|
|
#include "trace.h"
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2020-08-22 22:59:04 +08:00
|
|
|
#define CREATE_TRACE_POINTS
|
|
|
|
#include "trace.h"
|
|
|
|
|
2010-04-02 14:18:33 +08:00
|
|
|
#define L2TP_DRV_VERSION "V2.0"
|
|
|
|
|
|
|
|
/* L2TP header constants */
|
|
|
|
#define L2TP_HDRFLAG_T 0x8000
|
|
|
|
#define L2TP_HDRFLAG_L 0x4000
|
|
|
|
#define L2TP_HDRFLAG_S 0x0800
|
|
|
|
#define L2TP_HDRFLAG_O 0x0200
|
|
|
|
#define L2TP_HDRFLAG_P 0x0100
|
|
|
|
|
|
|
|
#define L2TP_HDR_VER_MASK 0x000F
|
|
|
|
#define L2TP_HDR_VER_2 0x0002
|
2010-04-02 14:18:49 +08:00
|
|
|
#define L2TP_HDR_VER_3 0x0003
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
/* L2TPv3 default L2-specific sublayer */
|
|
|
|
#define L2TP_SLFLAG_S 0x40000000
|
|
|
|
#define L2TP_SL_SEQ_MASK 0x00ffffff
|
|
|
|
|
2019-01-31 15:18:56 +08:00
|
|
|
#define L2TP_HDR_SIZE_MAX 14
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
/* Default trace flags */
|
|
|
|
#define L2TP_DEFAULT_DEBUG_FLAGS 0
|
|
|
|
|
|
|
|
/* Private data stored for received packets in the skb.
|
|
|
|
*/
|
|
|
|
struct l2tp_skb_cb {
|
2010-04-02 14:18:49 +08:00
|
|
|
u32 ns;
|
2010-04-02 14:18:33 +08:00
|
|
|
u16 has_seq;
|
|
|
|
u16 length;
|
|
|
|
unsigned long expires;
|
|
|
|
};
|
|
|
|
|
2020-07-23 00:32:14 +08:00
|
|
|
#define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *)&(skb)->cb[sizeof(struct inet_skb_parm)])
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2013-02-01 07:43:00 +08:00
|
|
|
static struct workqueue_struct *l2tp_wq;
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
/* per-net private data for this module */
|
|
|
|
static unsigned int l2tp_net_id;
|
|
|
|
struct l2tp_net {
|
|
|
|
struct list_head l2tp_tunnel_list;
|
2020-07-23 00:32:06 +08:00
|
|
|
/* Lock for write access to l2tp_tunnel_list */
|
2010-04-02 14:19:16 +08:00
|
|
|
spinlock_t l2tp_tunnel_list_lock;
|
2010-04-02 14:18:49 +08:00
|
|
|
struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
|
2020-07-23 00:32:06 +08:00
|
|
|
/* Lock for write access to l2tp_session_hlist */
|
2010-04-02 14:19:16 +08:00
|
|
|
spinlock_t l2tp_session_hlist_lock;
|
2010-04-02 14:18:33 +08:00
|
|
|
};
|
|
|
|
|
2018-03-12 21:54:24 +08:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
static bool l2tp_sk_is_v6(struct sock *sk)
|
|
|
|
{
|
|
|
|
return sk->sk_family == PF_INET6 &&
|
|
|
|
!ipv6_addr_v4mapped(&sk->sk_v6_daddr);
|
|
|
|
}
|
|
|
|
#endif
|
2010-10-21 15:50:46 +08:00
|
|
|
|
2017-04-12 16:05:29 +08:00
|
|
|
static inline struct l2tp_net *l2tp_pernet(const struct net *net)
|
2010-04-02 14:18:33 +08:00
|
|
|
{
|
|
|
|
return net_generic(net, l2tp_net_id);
|
|
|
|
}
|
|
|
|
|
2010-04-02 14:18:49 +08:00
|
|
|
/* Session hash global list for L2TPv3.
|
|
|
|
* The session_id SHOULD be random according to RFC3931, but several
|
|
|
|
* L2TP implementations use incrementing session_ids. So we do a real
|
|
|
|
* hash on the session_id, rather than a simple bitmask.
|
|
|
|
*/
|
|
|
|
static inline struct hlist_head *
|
|
|
|
l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
|
|
|
|
{
|
|
|
|
return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
|
|
|
|
}
|
|
|
|
|
2010-04-02 14:18:33 +08:00
|
|
|
/* Session hash list.
|
|
|
|
* The session_id SHOULD be random according to RFC2661, but several
|
|
|
|
* L2TP implementations (Cisco and Microsoft) use incrementing
|
|
|
|
* session_ids. So we do a real hash on the session_id, rather than a
|
|
|
|
* simple bitmask.
|
|
|
|
*/
|
|
|
|
static inline struct hlist_head *
|
|
|
|
l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
|
|
|
|
{
|
|
|
|
return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
|
|
|
|
}
|
|
|
|
|
2020-07-29 01:20:29 +08:00
|
|
|
static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
|
l2tp: fix races with tunnel socket close
The tunnel socket tunnel->sock (struct sock) is accessed when
preparing a new ppp session on a tunnel at pppol2tp_session_init. If
the socket is closed by a thread while another is creating a new
session, the threads race. In pppol2tp_connect, the tunnel object may
be created if the pppol2tp socket is associated with the special
session_id 0 and the tunnel socket is looked up using the provided
fd. When handling this, pppol2tp_connect cannot sock_hold the tunnel
socket to prevent it being destroyed during pppol2tp_connect since
this may itself may race with the socket being destroyed. Doing
sockfd_lookup in pppol2tp_connect isn't sufficient to prevent
tunnel->sock going away either because a given tunnel socket fd may be
reused between calls to pppol2tp_connect. Instead, have
l2tp_tunnel_create sock_hold the tunnel socket before it does
sockfd_put. This ensures that the tunnel's socket is always extant
while the tunnel object exists. Hold a ref on the socket until the
tunnel is destroyed and ensure that all tunnel destroy paths go
through a common function (l2tp_tunnel_delete) since this will do the
final sock_put to release the tunnel socket.
Since the tunnel's socket is now guaranteed to exist if the tunnel
exists, we no longer need to use sockfd_lookup via l2tp_sock_to_tunnel
to derive the tunnel from the socket since this is always
sk_user_data.
Also, sessions no longer sock_hold the tunnel socket since sessions
already hold a tunnel ref and the tunnel sock will not be freed until
the tunnel is freed. Removing these sock_holds in
l2tp_session_register avoids a possible sock leak in the
pppol2tp_connect error path if l2tp_session_register succeeds but
attaching a ppp channel fails. The pppol2tp_connect error path could
have been fixed instead and have the sock ref dropped when the session
is freed, but doing a sock_put of the tunnel socket when the session
is freed would require a new session_free callback. It is simpler to
just remove the sock_hold of the tunnel socket in
l2tp_session_register, now that the tunnel socket lifetime is
guaranteed.
Finally, some init code in l2tp_tunnel_create is reordered to ensure
that the new tunnel object's refcount is set and the tunnel socket ref
is taken before the tunnel socket destructor callbacks are set.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 4360 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #34
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
RIP: 0010:pppol2tp_session_init+0x1d6/0x500
RSP: 0018:ffff88001377fb40 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88001636a940 RCX: ffffffff84836c1d
RDX: 0000000000000045 RSI: 0000000055976744 RDI: 0000000000000228
RBP: ffff88001377fb60 R08: ffffffff84836bc8 R09: 0000000000000002
R10: ffff88001377fab8 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88001636aac8 R14: ffff8800160f81c0 R15: 1ffff100026eff76
FS: 00007ffb3ea66700(0000) GS:ffff88001a400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020e77000 CR3: 0000000016261000 CR4: 00000000000006f0
Call Trace:
pppol2tp_connect+0xd18/0x13c0
? pppol2tp_session_create+0x170/0x170
? __might_fault+0x115/0x1d0
? lock_downgrade+0x860/0x860
? __might_fault+0xe5/0x1d0
? security_socket_connect+0x8e/0xc0
SYSC_connect+0x1b6/0x310
? SYSC_bind+0x280/0x280
? __do_page_fault+0x5d1/0xca0
? up_read+0x1f/0x40
? __do_page_fault+0x3c8/0xca0
SyS_connect+0x29/0x30
? SyS_accept+0x40/0x40
do_syscall_64+0x1e0/0x730
? trace_hardirqs_off_thunk+0x1a/0x1c
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7ffb3e376259
RSP: 002b:00007ffeda4f6508 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020e77012 RCX: 00007ffb3e376259
RDX: 000000000000002e RSI: 0000000020e77000 RDI: 0000000000000004
RBP: 00007ffeda4f6540 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60
R13: 00007ffeda4f6660 R14: 0000000000000000 R15: 0000000000000000
Code: 80 3d b0 ff 06 02 00 0f 84 07 02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f
a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16
Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace close")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-02-24 01:45:45 +08:00
|
|
|
{
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_free_tunnel(tunnel);
|
l2tp: fix races with tunnel socket close
The tunnel socket tunnel->sock (struct sock) is accessed when
preparing a new ppp session on a tunnel at pppol2tp_session_init. If
the socket is closed by a thread while another is creating a new
session, the threads race. In pppol2tp_connect, the tunnel object may
be created if the pppol2tp socket is associated with the special
session_id 0 and the tunnel socket is looked up using the provided
fd. When handling this, pppol2tp_connect cannot sock_hold the tunnel
socket to prevent it being destroyed during pppol2tp_connect since
this may itself may race with the socket being destroyed. Doing
sockfd_lookup in pppol2tp_connect isn't sufficient to prevent
tunnel->sock going away either because a given tunnel socket fd may be
reused between calls to pppol2tp_connect. Instead, have
l2tp_tunnel_create sock_hold the tunnel socket before it does
sockfd_put. This ensures that the tunnel's socket is always extant
while the tunnel object exists. Hold a ref on the socket until the
tunnel is destroyed and ensure that all tunnel destroy paths go
through a common function (l2tp_tunnel_delete) since this will do the
final sock_put to release the tunnel socket.
Since the tunnel's socket is now guaranteed to exist if the tunnel
exists, we no longer need to use sockfd_lookup via l2tp_sock_to_tunnel
to derive the tunnel from the socket since this is always
sk_user_data.
Also, sessions no longer sock_hold the tunnel socket since sessions
already hold a tunnel ref and the tunnel sock will not be freed until
the tunnel is freed. Removing these sock_holds in
l2tp_session_register avoids a possible sock leak in the
pppol2tp_connect error path if l2tp_session_register succeeds but
attaching a ppp channel fails. The pppol2tp_connect error path could
have been fixed instead and have the sock ref dropped when the session
is freed, but doing a sock_put of the tunnel socket when the session
is freed would require a new session_free callback. It is simpler to
just remove the sock_hold of the tunnel socket in
l2tp_session_register, now that the tunnel socket lifetime is
guaranteed.
Finally, some init code in l2tp_tunnel_create is reordered to ensure
that the new tunnel object's refcount is set and the tunnel socket ref
is taken before the tunnel socket destructor callbacks are set.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 4360 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #34
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
RIP: 0010:pppol2tp_session_init+0x1d6/0x500
RSP: 0018:ffff88001377fb40 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88001636a940 RCX: ffffffff84836c1d
RDX: 0000000000000045 RSI: 0000000055976744 RDI: 0000000000000228
RBP: ffff88001377fb60 R08: ffffffff84836bc8 R09: 0000000000000002
R10: ffff88001377fab8 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88001636aac8 R14: ffff8800160f81c0 R15: 1ffff100026eff76
FS: 00007ffb3ea66700(0000) GS:ffff88001a400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020e77000 CR3: 0000000016261000 CR4: 00000000000006f0
Call Trace:
pppol2tp_connect+0xd18/0x13c0
? pppol2tp_session_create+0x170/0x170
? __might_fault+0x115/0x1d0
? lock_downgrade+0x860/0x860
? __might_fault+0xe5/0x1d0
? security_socket_connect+0x8e/0xc0
SYSC_connect+0x1b6/0x310
? SYSC_bind+0x280/0x280
? __do_page_fault+0x5d1/0xca0
? up_read+0x1f/0x40
? __do_page_fault+0x3c8/0xca0
SyS_connect+0x29/0x30
? SyS_accept+0x40/0x40
do_syscall_64+0x1e0/0x730
? trace_hardirqs_off_thunk+0x1a/0x1c
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7ffb3e376259
RSP: 002b:00007ffeda4f6508 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020e77012 RCX: 00007ffb3e376259
RDX: 000000000000002e RSI: 0000000020e77000 RDI: 0000000000000004
RBP: 00007ffeda4f6540 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60
R13: 00007ffeda4f6660 R14: 0000000000000000 R15: 0000000000000000
Code: 80 3d b0 ff 06 02 00 0f 84 07 02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f
a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16
Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace close")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-02-24 01:45:45 +08:00
|
|
|
sock_put(tunnel->sock);
|
|
|
|
/* the tunnel is freed in the socket destructor */
|
|
|
|
}
|
2020-07-29 01:20:29 +08:00
|
|
|
|
|
|
|
static void l2tp_session_free(struct l2tp_session *session)
|
|
|
|
{
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_free_session(session);
|
2020-09-03 16:54:51 +08:00
|
|
|
if (session->tunnel)
|
|
|
|
l2tp_tunnel_dec_refcount(session->tunnel);
|
|
|
|
kfree(session);
|
|
|
|
}
|
2020-08-22 22:59:06 +08:00
|
|
|
|
2020-09-03 16:54:51 +08:00
|
|
|
struct l2tp_tunnel *l2tp_sk_to_tunnel(struct sock *sk)
|
|
|
|
{
|
|
|
|
struct l2tp_tunnel *tunnel = sk->sk_user_data;
|
|
|
|
|
|
|
|
if (tunnel)
|
2020-07-29 01:20:29 +08:00
|
|
|
if (WARN_ON(tunnel->magic != L2TP_TUNNEL_MAGIC))
|
2020-09-03 16:54:51 +08:00
|
|
|
return NULL;
|
2020-07-29 01:20:29 +08:00
|
|
|
|
2020-09-03 16:54:51 +08:00
|
|
|
return tunnel;
|
2020-07-29 01:20:29 +08:00
|
|
|
}
|
2020-09-03 16:54:51 +08:00
|
|
|
EXPORT_SYMBOL_GPL(l2tp_sk_to_tunnel);
|
2020-07-29 01:20:29 +08:00
|
|
|
|
|
|
|
void l2tp_tunnel_inc_refcount(struct l2tp_tunnel *tunnel)
|
|
|
|
{
|
|
|
|
refcount_inc(&tunnel->ref_count);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_tunnel_inc_refcount);
|
|
|
|
|
|
|
|
void l2tp_tunnel_dec_refcount(struct l2tp_tunnel *tunnel)
|
|
|
|
{
|
|
|
|
if (refcount_dec_and_test(&tunnel->ref_count))
|
|
|
|
l2tp_tunnel_free(tunnel);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_tunnel_dec_refcount);
|
|
|
|
|
|
|
|
void l2tp_session_inc_refcount(struct l2tp_session *session)
|
|
|
|
{
|
|
|
|
refcount_inc(&session->ref_count);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_session_inc_refcount);
|
|
|
|
|
|
|
|
void l2tp_session_dec_refcount(struct l2tp_session *session)
|
|
|
|
{
|
|
|
|
if (refcount_dec_and_test(&session->ref_count))
|
|
|
|
l2tp_session_free(session);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_session_dec_refcount);
|
l2tp: fix races with tunnel socket close
The tunnel socket tunnel->sock (struct sock) is accessed when
preparing a new ppp session on a tunnel at pppol2tp_session_init. If
the socket is closed by a thread while another is creating a new
session, the threads race. In pppol2tp_connect, the tunnel object may
be created if the pppol2tp socket is associated with the special
session_id 0 and the tunnel socket is looked up using the provided
fd. When handling this, pppol2tp_connect cannot sock_hold the tunnel
socket to prevent it being destroyed during pppol2tp_connect since
this may itself may race with the socket being destroyed. Doing
sockfd_lookup in pppol2tp_connect isn't sufficient to prevent
tunnel->sock going away either because a given tunnel socket fd may be
reused between calls to pppol2tp_connect. Instead, have
l2tp_tunnel_create sock_hold the tunnel socket before it does
sockfd_put. This ensures that the tunnel's socket is always extant
while the tunnel object exists. Hold a ref on the socket until the
tunnel is destroyed and ensure that all tunnel destroy paths go
through a common function (l2tp_tunnel_delete) since this will do the
final sock_put to release the tunnel socket.
Since the tunnel's socket is now guaranteed to exist if the tunnel
exists, we no longer need to use sockfd_lookup via l2tp_sock_to_tunnel
to derive the tunnel from the socket since this is always
sk_user_data.
Also, sessions no longer sock_hold the tunnel socket since sessions
already hold a tunnel ref and the tunnel sock will not be freed until
the tunnel is freed. Removing these sock_holds in
l2tp_session_register avoids a possible sock leak in the
pppol2tp_connect error path if l2tp_session_register succeeds but
attaching a ppp channel fails. The pppol2tp_connect error path could
have been fixed instead and have the sock ref dropped when the session
is freed, but doing a sock_put of the tunnel socket when the session
is freed would require a new session_free callback. It is simpler to
just remove the sock_hold of the tunnel socket in
l2tp_session_register, now that the tunnel socket lifetime is
guaranteed.
Finally, some init code in l2tp_tunnel_create is reordered to ensure
that the new tunnel object's refcount is set and the tunnel socket ref
is taken before the tunnel socket destructor callbacks are set.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 4360 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #34
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
RIP: 0010:pppol2tp_session_init+0x1d6/0x500
RSP: 0018:ffff88001377fb40 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88001636a940 RCX: ffffffff84836c1d
RDX: 0000000000000045 RSI: 0000000055976744 RDI: 0000000000000228
RBP: ffff88001377fb60 R08: ffffffff84836bc8 R09: 0000000000000002
R10: ffff88001377fab8 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88001636aac8 R14: ffff8800160f81c0 R15: 1ffff100026eff76
FS: 00007ffb3ea66700(0000) GS:ffff88001a400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020e77000 CR3: 0000000016261000 CR4: 00000000000006f0
Call Trace:
pppol2tp_connect+0xd18/0x13c0
? pppol2tp_session_create+0x170/0x170
? __might_fault+0x115/0x1d0
? lock_downgrade+0x860/0x860
? __might_fault+0xe5/0x1d0
? security_socket_connect+0x8e/0xc0
SYSC_connect+0x1b6/0x310
? SYSC_bind+0x280/0x280
? __do_page_fault+0x5d1/0xca0
? up_read+0x1f/0x40
? __do_page_fault+0x3c8/0xca0
SyS_connect+0x29/0x30
? SyS_accept+0x40/0x40
do_syscall_64+0x1e0/0x730
? trace_hardirqs_off_thunk+0x1a/0x1c
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7ffb3e376259
RSP: 002b:00007ffeda4f6508 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020e77012 RCX: 00007ffb3e376259
RDX: 000000000000002e RSI: 0000000020e77000 RDI: 0000000000000004
RBP: 00007ffeda4f6540 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60
R13: 00007ffeda4f6660 R14: 0000000000000000 R15: 0000000000000000
Code: 80 3d b0 ff 06 02 00 0f 84 07 02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f
a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16
Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace close")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-02-24 01:45:45 +08:00
|
|
|
|
2017-08-25 22:51:40 +08:00
|
|
|
/* Lookup a tunnel. A new reference is held on the returned tunnel. */
|
|
|
|
struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
|
|
|
|
{
|
|
|
|
const struct l2tp_net *pn = l2tp_pernet(net);
|
|
|
|
struct l2tp_tunnel *tunnel;
|
|
|
|
|
|
|
|
rcu_read_lock_bh();
|
|
|
|
list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
|
2019-04-30 21:27:58 +08:00
|
|
|
if (tunnel->tunnel_id == tunnel_id &&
|
|
|
|
refcount_inc_not_zero(&tunnel->ref_count)) {
|
2017-08-25 22:51:40 +08:00
|
|
|
rcu_read_unlock_bh();
|
|
|
|
|
|
|
|
return tunnel;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
rcu_read_unlock_bh();
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
|
|
|
|
|
2018-04-13 02:50:33 +08:00
|
|
|
struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth)
|
|
|
|
{
|
|
|
|
const struct l2tp_net *pn = l2tp_pernet(net);
|
|
|
|
struct l2tp_tunnel *tunnel;
|
|
|
|
int count = 0;
|
|
|
|
|
|
|
|
rcu_read_lock_bh();
|
|
|
|
list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
|
2019-04-30 21:27:58 +08:00
|
|
|
if (++count > nth &&
|
|
|
|
refcount_inc_not_zero(&tunnel->ref_count)) {
|
2018-04-13 02:50:33 +08:00
|
|
|
rcu_read_unlock_bh();
|
|
|
|
return tunnel;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
rcu_read_unlock_bh();
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_tunnel_get_nth);
|
|
|
|
|
2018-08-10 19:21:57 +08:00
|
|
|
struct l2tp_session *l2tp_tunnel_get_session(struct l2tp_tunnel *tunnel,
|
|
|
|
u32 session_id)
|
2017-03-31 19:02:25 +08:00
|
|
|
{
|
|
|
|
struct hlist_head *session_list;
|
|
|
|
struct l2tp_session *session;
|
|
|
|
|
2018-08-10 19:21:57 +08:00
|
|
|
session_list = l2tp_session_id_hash(tunnel, session_id);
|
2017-03-31 19:02:25 +08:00
|
|
|
|
2018-08-10 19:21:57 +08:00
|
|
|
read_lock_bh(&tunnel->hlist_lock);
|
|
|
|
hlist_for_each_entry(session, session_list, hlist)
|
|
|
|
if (session->session_id == session_id) {
|
|
|
|
l2tp_session_inc_refcount(session);
|
|
|
|
read_unlock_bh(&tunnel->hlist_lock);
|
2017-03-31 19:02:25 +08:00
|
|
|
|
2018-08-10 19:21:57 +08:00
|
|
|
return session;
|
2017-03-31 19:02:25 +08:00
|
|
|
}
|
2018-08-10 19:21:57 +08:00
|
|
|
read_unlock_bh(&tunnel->hlist_lock);
|
2017-03-31 19:02:25 +08:00
|
|
|
|
2018-08-10 19:21:57 +08:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_tunnel_get_session);
|
2017-03-31 19:02:25 +08:00
|
|
|
|
2018-08-10 19:21:57 +08:00
|
|
|
struct l2tp_session *l2tp_session_get(const struct net *net, u32 session_id)
|
|
|
|
{
|
|
|
|
struct hlist_head *session_list;
|
|
|
|
struct l2tp_session *session;
|
|
|
|
|
|
|
|
session_list = l2tp_session_id_hash_2(l2tp_pernet(net), session_id);
|
|
|
|
|
|
|
|
rcu_read_lock_bh();
|
|
|
|
hlist_for_each_entry_rcu(session, session_list, global_hlist)
|
2017-03-31 19:02:25 +08:00
|
|
|
if (session->session_id == session_id) {
|
|
|
|
l2tp_session_inc_refcount(session);
|
2018-08-10 19:21:57 +08:00
|
|
|
rcu_read_unlock_bh();
|
2017-03-31 19:02:25 +08:00
|
|
|
|
|
|
|
return session;
|
|
|
|
}
|
2018-08-10 19:21:57 +08:00
|
|
|
rcu_read_unlock_bh();
|
2017-03-31 19:02:25 +08:00
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_session_get);
|
|
|
|
|
2017-11-01 00:36:42 +08:00
|
|
|
struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth)
|
2010-04-02 14:18:33 +08:00
|
|
|
{
|
|
|
|
int hash;
|
|
|
|
struct l2tp_session *session;
|
|
|
|
int count = 0;
|
|
|
|
|
|
|
|
read_lock_bh(&tunnel->hlist_lock);
|
|
|
|
for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 09:06:00 +08:00
|
|
|
hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
|
2010-04-02 14:18:33 +08:00
|
|
|
if (++count > nth) {
|
2017-04-03 18:03:13 +08:00
|
|
|
l2tp_session_inc_refcount(session);
|
2010-04-02 14:18:33 +08:00
|
|
|
read_unlock_bh(&tunnel->hlist_lock);
|
|
|
|
return session;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
read_unlock_bh(&tunnel->hlist_lock);
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
2017-04-03 18:03:13 +08:00
|
|
|
EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2010-04-02 14:19:10 +08:00
|
|
|
/* Lookup a session by interface name.
|
|
|
|
* This is very inefficient but is only used by management interfaces.
|
|
|
|
*/
|
2017-04-12 16:05:29 +08:00
|
|
|
struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
|
2017-11-01 00:36:42 +08:00
|
|
|
const char *ifname)
|
2010-04-02 14:19:10 +08:00
|
|
|
{
|
|
|
|
struct l2tp_net *pn = l2tp_pernet(net);
|
|
|
|
int hash;
|
|
|
|
struct l2tp_session *session;
|
|
|
|
|
2010-04-02 14:19:16 +08:00
|
|
|
rcu_read_lock_bh();
|
2010-04-02 14:19:10 +08:00
|
|
|
for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 09:06:00 +08:00
|
|
|
hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
|
2010-04-02 14:19:10 +08:00
|
|
|
if (!strcmp(session->ifname, ifname)) {
|
2017-03-31 19:02:30 +08:00
|
|
|
l2tp_session_inc_refcount(session);
|
2010-04-02 14:19:16 +08:00
|
|
|
rcu_read_unlock_bh();
|
2017-03-31 19:02:30 +08:00
|
|
|
|
2010-04-02 14:19:10 +08:00
|
|
|
return session;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-04-02 14:19:16 +08:00
|
|
|
rcu_read_unlock_bh();
|
2010-04-02 14:19:10 +08:00
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
2017-03-31 19:02:30 +08:00
|
|
|
EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
|
2010-04-02 14:19:10 +08:00
|
|
|
|
2017-10-27 22:51:50 +08:00
|
|
|
int l2tp_session_register(struct l2tp_session *session,
|
|
|
|
struct l2tp_tunnel *tunnel)
|
2017-03-31 19:02:27 +08:00
|
|
|
{
|
|
|
|
struct l2tp_session *session_walk;
|
|
|
|
struct hlist_head *g_head;
|
|
|
|
struct hlist_head *head;
|
|
|
|
struct l2tp_net *pn;
|
2017-09-01 23:58:48 +08:00
|
|
|
int err;
|
2017-03-31 19:02:27 +08:00
|
|
|
|
|
|
|
head = l2tp_session_id_hash(tunnel, session->session_id);
|
|
|
|
|
|
|
|
write_lock_bh(&tunnel->hlist_lock);
|
2017-09-01 23:58:48 +08:00
|
|
|
if (!tunnel->acpt_newsess) {
|
|
|
|
err = -ENODEV;
|
|
|
|
goto err_tlock;
|
|
|
|
}
|
|
|
|
|
2017-03-31 19:02:27 +08:00
|
|
|
hlist_for_each_entry(session_walk, head, hlist)
|
2017-09-01 23:58:48 +08:00
|
|
|
if (session_walk->session_id == session->session_id) {
|
|
|
|
err = -EEXIST;
|
|
|
|
goto err_tlock;
|
|
|
|
}
|
2017-03-31 19:02:27 +08:00
|
|
|
|
|
|
|
if (tunnel->version == L2TP_HDR_VER_3) {
|
|
|
|
pn = l2tp_pernet(tunnel->l2tp_net);
|
2018-06-25 22:07:24 +08:00
|
|
|
g_head = l2tp_session_id_hash_2(pn, session->session_id);
|
2017-03-31 19:02:27 +08:00
|
|
|
|
|
|
|
spin_lock_bh(&pn->l2tp_session_hlist_lock);
|
2017-09-01 23:58:48 +08:00
|
|
|
|
2020-02-04 07:24:00 +08:00
|
|
|
/* IP encap expects session IDs to be globally unique, while
|
|
|
|
* UDP encap doesn't.
|
|
|
|
*/
|
2017-03-31 19:02:27 +08:00
|
|
|
hlist_for_each_entry(session_walk, g_head, global_hlist)
|
2020-02-04 07:24:00 +08:00
|
|
|
if (session_walk->session_id == session->session_id &&
|
|
|
|
(session_walk->tunnel->encap == L2TP_ENCAPTYPE_IP ||
|
|
|
|
tunnel->encap == L2TP_ENCAPTYPE_IP)) {
|
2017-09-01 23:58:48 +08:00
|
|
|
err = -EEXIST;
|
|
|
|
goto err_tlock_pnlock;
|
|
|
|
}
|
2017-03-31 19:02:27 +08:00
|
|
|
|
2017-09-01 23:58:48 +08:00
|
|
|
l2tp_tunnel_inc_refcount(tunnel);
|
2017-03-31 19:02:27 +08:00
|
|
|
hlist_add_head_rcu(&session->global_hlist, g_head);
|
2017-09-01 23:58:48 +08:00
|
|
|
|
2017-03-31 19:02:27 +08:00
|
|
|
spin_unlock_bh(&pn->l2tp_session_hlist_lock);
|
2017-09-01 23:58:48 +08:00
|
|
|
} else {
|
|
|
|
l2tp_tunnel_inc_refcount(tunnel);
|
2017-03-31 19:02:27 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
hlist_add_head(&session->hlist, head);
|
|
|
|
write_unlock_bh(&tunnel->hlist_lock);
|
|
|
|
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_register_session(session);
|
|
|
|
|
2017-03-31 19:02:27 +08:00
|
|
|
return 0;
|
|
|
|
|
2017-09-01 23:58:48 +08:00
|
|
|
err_tlock_pnlock:
|
2017-03-31 19:02:27 +08:00
|
|
|
spin_unlock_bh(&pn->l2tp_session_hlist_lock);
|
2017-09-01 23:58:48 +08:00
|
|
|
err_tlock:
|
2017-03-31 19:02:27 +08:00
|
|
|
write_unlock_bh(&tunnel->hlist_lock);
|
|
|
|
|
2017-09-01 23:58:48 +08:00
|
|
|
return err;
|
2017-03-31 19:02:27 +08:00
|
|
|
}
|
2017-10-27 22:51:50 +08:00
|
|
|
EXPORT_SYMBOL_GPL(l2tp_session_register);
|
2017-03-31 19:02:27 +08:00
|
|
|
|
2010-04-02 14:18:33 +08:00
|
|
|
/*****************************************************************************
|
|
|
|
* Receive data handling
|
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
/* Queue a skb in order. We come here only if the skb has an L2TP sequence
|
|
|
|
* number.
|
|
|
|
*/
|
|
|
|
static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
struct sk_buff *skbp;
|
|
|
|
struct sk_buff *tmp;
|
2010-04-02 14:18:49 +08:00
|
|
|
u32 ns = L2TP_SKB_CB(skb)->ns;
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
spin_lock_bh(&session->reorder_q.lock);
|
|
|
|
skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
|
|
|
|
if (L2TP_SKB_CB(skbp)->ns > ns) {
|
|
|
|
__skb_queue_before(&session->reorder_q, skbp, skb);
|
2013-03-19 14:11:22 +08:00
|
|
|
atomic_long_inc(&session->stats.rx_oos_packets);
|
2010-04-02 14:18:33 +08:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
__skb_queue_tail(&session->reorder_q, skb);
|
|
|
|
|
|
|
|
out:
|
|
|
|
spin_unlock_bh(&session->reorder_q.lock);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Dequeue a single skb.
|
|
|
|
*/
|
|
|
|
static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
struct l2tp_tunnel *tunnel = session->tunnel;
|
|
|
|
int length = L2TP_SKB_CB(skb)->length;
|
|
|
|
|
|
|
|
/* We're about to requeue the skb, so return resources
|
|
|
|
* to its current owner (a socket receive buffer).
|
|
|
|
*/
|
|
|
|
skb_orphan(skb);
|
|
|
|
|
2013-03-19 14:11:22 +08:00
|
|
|
atomic_long_inc(&tunnel->stats.rx_packets);
|
|
|
|
atomic_long_add(length, &tunnel->stats.rx_bytes);
|
|
|
|
atomic_long_inc(&session->stats.rx_packets);
|
|
|
|
atomic_long_add(length, &session->stats.rx_bytes);
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
if (L2TP_SKB_CB(skb)->has_seq) {
|
|
|
|
/* Bump our Nr */
|
|
|
|
session->nr++;
|
2013-07-03 03:28:59 +08:00
|
|
|
session->nr &= session->nr_max;
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_session_seqnum_update(session);
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* call private receive handler */
|
2020-07-23 19:29:50 +08:00
|
|
|
if (session->recv_skb)
|
2010-04-02 14:18:33 +08:00
|
|
|
(*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
|
|
|
|
else
|
|
|
|
kfree_skb(skb);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Dequeue skbs from the session's reorder_q, subject to packet order.
|
|
|
|
* Skbs that have been in the queue for too long are simply discarded.
|
|
|
|
*/
|
|
|
|
static void l2tp_recv_dequeue(struct l2tp_session *session)
|
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
|
|
|
struct sk_buff *tmp;
|
|
|
|
|
|
|
|
/* If the pkt at the head of the queue has the nr that we
|
|
|
|
* expect to send up next, dequeue it and any other
|
|
|
|
* in-sequence packets behind it.
|
|
|
|
*/
|
2011-11-03 06:47:44 +08:00
|
|
|
start:
|
2010-04-02 14:18:33 +08:00
|
|
|
spin_lock_bh(&session->reorder_q.lock);
|
|
|
|
skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
|
2020-08-22 22:59:06 +08:00
|
|
|
struct l2tp_skb_cb *cb = L2TP_SKB_CB(skb);
|
|
|
|
|
|
|
|
/* If the packet has been pending on the queue for too long, discard it */
|
|
|
|
if (time_after(jiffies, cb->expires)) {
|
2013-03-19 14:11:22 +08:00
|
|
|
atomic_long_inc(&session->stats.rx_seq_discards);
|
|
|
|
atomic_long_inc(&session->stats.rx_errors);
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_session_pkt_expired(session, cb->ns);
|
2012-05-10 07:43:08 +08:00
|
|
|
session->reorder_skip = 1;
|
2010-04-02 14:18:33 +08:00
|
|
|
__skb_unlink(skb, &session->reorder_q);
|
|
|
|
kfree_skb(skb);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2020-08-22 22:59:06 +08:00
|
|
|
if (cb->has_seq) {
|
2012-05-10 07:43:08 +08:00
|
|
|
if (session->reorder_skip) {
|
|
|
|
session->reorder_skip = 0;
|
2020-08-22 22:59:06 +08:00
|
|
|
session->nr = cb->ns;
|
|
|
|
trace_session_seqnum_reset(session);
|
2012-05-10 07:43:08 +08:00
|
|
|
}
|
2020-08-22 22:59:06 +08:00
|
|
|
if (cb->ns != session->nr)
|
2010-04-02 14:18:33 +08:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
__skb_unlink(skb, &session->reorder_q);
|
|
|
|
|
|
|
|
/* Process the skb. We release the queue lock while we
|
|
|
|
* do so to let other contexts process the queue.
|
|
|
|
*/
|
|
|
|
spin_unlock_bh(&session->reorder_q.lock);
|
|
|
|
l2tp_recv_dequeue_skb(session, skb);
|
2011-11-03 06:47:44 +08:00
|
|
|
goto start;
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
out:
|
|
|
|
spin_unlock_bh(&session->reorder_q.lock);
|
|
|
|
}
|
|
|
|
|
2013-07-03 03:28:59 +08:00
|
|
|
static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
|
|
|
|
{
|
|
|
|
u32 nws;
|
|
|
|
|
|
|
|
if (nr >= session->nr)
|
|
|
|
nws = nr - session->nr;
|
|
|
|
else
|
|
|
|
nws = (session->nr_max + 1) - (session->nr - nr);
|
|
|
|
|
|
|
|
return nws < session->nr_window_size;
|
|
|
|
}
|
|
|
|
|
2013-07-03 03:28:58 +08:00
|
|
|
/* If packet has sequence numbers, queue it if acceptable. Returns 0 if
|
|
|
|
* acceptable, else non-zero.
|
|
|
|
*/
|
|
|
|
static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
|
|
|
|
{
|
2020-08-22 22:59:06 +08:00
|
|
|
struct l2tp_skb_cb *cb = L2TP_SKB_CB(skb);
|
|
|
|
|
|
|
|
if (!l2tp_seq_check_rx_window(session, cb->ns)) {
|
2013-07-03 03:28:59 +08:00
|
|
|
/* Packet sequence number is outside allowed window.
|
|
|
|
* Discard it.
|
|
|
|
*/
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_session_pkt_outside_rx_window(session, cb->ns);
|
2013-07-03 03:28:59 +08:00
|
|
|
goto discard;
|
|
|
|
}
|
|
|
|
|
2013-07-03 03:28:58 +08:00
|
|
|
if (session->reorder_timeout != 0) {
|
|
|
|
/* Packet reordering enabled. Add skb to session's
|
|
|
|
* reorder queue, in order of ns.
|
|
|
|
*/
|
|
|
|
l2tp_recv_queue_skb(session, skb);
|
2013-07-03 03:29:00 +08:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Packet reordering disabled. Discard out-of-sequence packets, while
|
|
|
|
* tracking the number if in-sequence packets after the first OOS packet
|
|
|
|
* is seen. After nr_oos_count_max in-sequence packets, reset the
|
|
|
|
* sequence number to re-enable packet reception.
|
|
|
|
*/
|
2020-08-22 22:59:06 +08:00
|
|
|
if (cb->ns == session->nr) {
|
2013-07-03 03:29:00 +08:00
|
|
|
skb_queue_tail(&session->reorder_q, skb);
|
2013-07-03 03:28:58 +08:00
|
|
|
} else {
|
2020-08-22 22:59:06 +08:00
|
|
|
u32 nr_oos = cb->ns;
|
2013-07-03 03:29:00 +08:00
|
|
|
u32 nr_next = (session->nr_oos + 1) & session->nr_max;
|
|
|
|
|
|
|
|
if (nr_oos == nr_next)
|
|
|
|
session->nr_oos_count++;
|
|
|
|
else
|
|
|
|
session->nr_oos_count = 0;
|
|
|
|
|
|
|
|
session->nr_oos = nr_oos;
|
|
|
|
if (session->nr_oos_count > session->nr_oos_count_max) {
|
|
|
|
session->reorder_skip = 1;
|
|
|
|
}
|
|
|
|
if (!session->reorder_skip) {
|
2013-07-03 03:28:58 +08:00
|
|
|
atomic_long_inc(&session->stats.rx_seq_discards);
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_session_pkt_oos(session, cb->ns);
|
2013-07-03 03:28:58 +08:00
|
|
|
goto discard;
|
|
|
|
}
|
|
|
|
skb_queue_tail(&session->reorder_q, skb);
|
|
|
|
}
|
|
|
|
|
2013-07-03 03:29:00 +08:00
|
|
|
out:
|
2013-07-03 03:28:58 +08:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
discard:
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2010-04-02 14:18:49 +08:00
|
|
|
/* Do receive processing of L2TP data frames. We handle both L2TPv2
|
|
|
|
* and L2TPv3 data frames here.
|
|
|
|
*
|
|
|
|
* L2TPv2 Data Message Header
|
|
|
|
*
|
|
|
|
* 0 1 2 3
|
|
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* |T|L|x|x|S|x|O|P|x|x|x|x| Ver | Length (opt) |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Tunnel ID | Session ID |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Ns (opt) | Nr (opt) |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Offset Size (opt) | Offset pad... (opt)
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
* Data frames are marked by T=0. All other fields are the same as
|
|
|
|
* those in L2TP control frames.
|
|
|
|
*
|
|
|
|
* L2TPv3 Data Message Header
|
|
|
|
*
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | L2TP Session Header |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | L2-Specific Sublayer |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Tunnel Payload ...
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
* L2TPv3 Session Header Over IP
|
|
|
|
*
|
|
|
|
* 0 1 2 3
|
|
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Session ID |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Cookie (optional, maximum 64 bits)...
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
* L2TPv3 L2-Specific Sublayer Format
|
|
|
|
*
|
|
|
|
* 0 1 2 3
|
|
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* |x|S|x|x|x|x|x|x| Sequence Number |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
2018-01-06 02:47:14 +08:00
|
|
|
* Cookie value and sublayer format are negotiated with the peer when
|
|
|
|
* the session is set up. Unlike L2TPv2, we do not need to parse the
|
|
|
|
* packet header to determine if optional fields are present.
|
2010-04-02 14:18:49 +08:00
|
|
|
*
|
|
|
|
* Caller must already have parsed the frame and determined that it is
|
|
|
|
* a data (not control) frame before coming here. Fields up to the
|
|
|
|
* session-id have already been parsed and ptr points to the data
|
|
|
|
* after the session-id.
|
2010-04-02 14:18:33 +08:00
|
|
|
*/
|
2010-04-02 14:18:49 +08:00
|
|
|
void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
|
|
|
|
unsigned char *ptr, unsigned char *optr, u16 hdrflags,
|
2018-07-25 20:53:33 +08:00
|
|
|
int length)
|
2010-04-02 14:18:33 +08:00
|
|
|
{
|
2010-04-02 14:18:49 +08:00
|
|
|
struct l2tp_tunnel *tunnel = session->tunnel;
|
2010-04-02 14:18:33 +08:00
|
|
|
int offset;
|
|
|
|
|
2010-04-02 14:18:49 +08:00
|
|
|
/* Parse and check optional cookie */
|
|
|
|
if (session->peer_cookie_len > 0) {
|
|
|
|
if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
|
2020-08-22 22:59:03 +08:00
|
|
|
pr_warn_ratelimited("%s: cookie mismatch (%u/%u). Discarding.\n",
|
|
|
|
tunnel->name, tunnel->tunnel_id,
|
|
|
|
session->session_id);
|
2013-03-19 14:11:22 +08:00
|
|
|
atomic_long_inc(&session->stats.rx_cookie_discards);
|
2010-04-02 14:18:49 +08:00
|
|
|
goto discard;
|
|
|
|
}
|
|
|
|
ptr += session->peer_cookie_len;
|
|
|
|
}
|
|
|
|
|
2010-04-02 14:18:33 +08:00
|
|
|
/* Handle the optional sequence numbers. Sequence numbers are
|
|
|
|
* in different places for L2TPv2 and L2TPv3.
|
|
|
|
*
|
|
|
|
* If we are the LAC, enable/disable sequence numbers under
|
|
|
|
* the control of the LNS. If no sequence numbers present but
|
|
|
|
* we were expecting them, discard frame.
|
|
|
|
*/
|
|
|
|
L2TP_SKB_CB(skb)->has_seq = 0;
|
2010-04-02 14:18:49 +08:00
|
|
|
if (tunnel->version == L2TP_HDR_VER_2) {
|
|
|
|
if (hdrflags & L2TP_HDRFLAG_S) {
|
|
|
|
/* Store L2TP info in the skb */
|
2020-08-22 22:59:01 +08:00
|
|
|
L2TP_SKB_CB(skb)->ns = ntohs(*(__be16 *)ptr);
|
2010-04-02 14:18:49 +08:00
|
|
|
L2TP_SKB_CB(skb)->has_seq = 1;
|
2020-08-22 22:59:01 +08:00
|
|
|
ptr += 2;
|
|
|
|
/* Skip past nr in the header */
|
|
|
|
ptr += 2;
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2010-04-02 14:18:49 +08:00
|
|
|
}
|
|
|
|
} else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
|
2020-07-23 00:32:05 +08:00
|
|
|
u32 l2h = ntohl(*(__be32 *)ptr);
|
2010-04-02 14:18:49 +08:00
|
|
|
|
|
|
|
if (l2h & 0x40000000) {
|
|
|
|
/* Store L2TP info in the skb */
|
2020-08-22 22:59:01 +08:00
|
|
|
L2TP_SKB_CB(skb)->ns = l2h & 0x00ffffff;
|
2010-04-02 14:18:49 +08:00
|
|
|
L2TP_SKB_CB(skb)->has_seq = 1;
|
|
|
|
}
|
2018-01-17 06:01:55 +08:00
|
|
|
ptr += 4;
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
if (L2TP_SKB_CB(skb)->has_seq) {
|
2020-07-23 00:32:06 +08:00
|
|
|
/* Received a packet with sequence numbers. If we're the LAC,
|
2010-04-02 14:18:33 +08:00
|
|
|
* check if we sre sending sequence numbers and if not,
|
|
|
|
* configure it so.
|
|
|
|
*/
|
2020-07-23 19:29:51 +08:00
|
|
|
if (!session->lns_mode && !session->send_seq) {
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_session_seqnum_lns_enable(session);
|
2016-11-08 04:39:28 +08:00
|
|
|
session->send_seq = 1;
|
2010-04-02 14:18:49 +08:00
|
|
|
l2tp_session_set_header_len(session, tunnel->version);
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
/* No sequence numbers.
|
|
|
|
* If user has configured mandatory sequence numbers, discard.
|
|
|
|
*/
|
|
|
|
if (session->recv_seq) {
|
2020-08-22 22:59:03 +08:00
|
|
|
pr_warn_ratelimited("%s: recv data has no seq numbers when required. Discarding.\n",
|
|
|
|
session->name);
|
2013-03-19 14:11:22 +08:00
|
|
|
atomic_long_inc(&session->stats.rx_seq_discards);
|
2010-04-02 14:18:33 +08:00
|
|
|
goto discard;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* If we're the LAC and we're sending sequence numbers, the
|
|
|
|
* LNS has requested that we no longer send sequence numbers.
|
|
|
|
* If we're the LNS and we're sending sequence numbers, the
|
|
|
|
* LAC is broken. Discard the frame.
|
|
|
|
*/
|
2020-07-23 19:29:51 +08:00
|
|
|
if (!session->lns_mode && session->send_seq) {
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_session_seqnum_lns_disable(session);
|
2010-04-02 14:18:33 +08:00
|
|
|
session->send_seq = 0;
|
2010-04-02 14:18:49 +08:00
|
|
|
l2tp_session_set_header_len(session, tunnel->version);
|
2010-04-02 14:18:33 +08:00
|
|
|
} else if (session->send_seq) {
|
2020-08-22 22:59:03 +08:00
|
|
|
pr_warn_ratelimited("%s: recv data has no seq numbers when required. Discarding.\n",
|
|
|
|
session->name);
|
2013-03-19 14:11:22 +08:00
|
|
|
atomic_long_inc(&session->stats.rx_seq_discards);
|
2010-04-02 14:18:33 +08:00
|
|
|
goto discard;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-01-04 06:48:06 +08:00
|
|
|
/* Session data offset is defined only for L2TPv2 and is
|
|
|
|
* indicated by an optional 16-bit value in the header.
|
2010-04-02 14:18:49 +08:00
|
|
|
*/
|
|
|
|
if (tunnel->version == L2TP_HDR_VER_2) {
|
|
|
|
/* If offset bit set, skip it. */
|
|
|
|
if (hdrflags & L2TP_HDRFLAG_O) {
|
|
|
|
offset = ntohs(*(__be16 *)ptr);
|
|
|
|
ptr += 2 + offset;
|
|
|
|
}
|
2018-01-04 06:48:06 +08:00
|
|
|
}
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
offset = ptr - optr;
|
|
|
|
if (!pskb_may_pull(skb, offset))
|
|
|
|
goto discard;
|
|
|
|
|
|
|
|
__skb_pull(skb, offset);
|
|
|
|
|
|
|
|
/* Prepare skb for adding to the session's reorder_q. Hold
|
|
|
|
* packets for max reorder_timeout or 1 second if not
|
|
|
|
* reordering.
|
|
|
|
*/
|
|
|
|
L2TP_SKB_CB(skb)->length = length;
|
|
|
|
L2TP_SKB_CB(skb)->expires = jiffies +
|
|
|
|
(session->reorder_timeout ? session->reorder_timeout : HZ);
|
|
|
|
|
|
|
|
/* Add packet to the session's receive queue. Reordering is done here, if
|
|
|
|
* enabled. Saved L2TP protocol info is stored in skb->sb[].
|
|
|
|
*/
|
|
|
|
if (L2TP_SKB_CB(skb)->has_seq) {
|
2013-07-03 03:28:58 +08:00
|
|
|
if (l2tp_recv_data_seq(session, skb))
|
|
|
|
goto discard;
|
2010-04-02 14:18:33 +08:00
|
|
|
} else {
|
|
|
|
/* No sequence numbers. Add the skb to the tail of the
|
|
|
|
* reorder queue. This ensures that it will be
|
|
|
|
* delivered after all previous sequenced skbs.
|
|
|
|
*/
|
|
|
|
skb_queue_tail(&session->reorder_q, skb);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Try to dequeue as many skbs from reorder_q as we can. */
|
|
|
|
l2tp_recv_dequeue(session);
|
|
|
|
|
2010-04-02 14:18:49 +08:00
|
|
|
return;
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
discard:
|
2013-03-19 14:11:22 +08:00
|
|
|
atomic_long_inc(&session->stats.rx_errors);
|
2010-04-02 14:18:33 +08:00
|
|
|
kfree_skb(skb);
|
2010-04-02 14:18:49 +08:00
|
|
|
}
|
2020-07-29 01:20:32 +08:00
|
|
|
EXPORT_SYMBOL_GPL(l2tp_recv_common);
|
2010-04-02 14:18:49 +08:00
|
|
|
|
2013-03-19 14:11:19 +08:00
|
|
|
/* Drop skbs from the session's reorder_q
|
|
|
|
*/
|
2020-07-24 23:31:55 +08:00
|
|
|
static void l2tp_session_queue_purge(struct l2tp_session *session)
|
2013-03-19 14:11:19 +08:00
|
|
|
{
|
|
|
|
struct sk_buff *skb = NULL;
|
2020-07-23 00:32:05 +08:00
|
|
|
|
2013-03-19 14:11:19 +08:00
|
|
|
while ((skb = skb_dequeue(&session->reorder_q))) {
|
|
|
|
atomic_long_inc(&session->stats.rx_errors);
|
|
|
|
kfree_skb(skb);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-04-02 14:18:49 +08:00
|
|
|
/* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
|
|
|
|
* here. The skb is not on a list when we get here.
|
|
|
|
* Returns 0 if the packet was a data packet and was successfully passed on.
|
|
|
|
* Returns 1 if the packet was not a good data packet and could not be
|
|
|
|
* forwarded. All such packets are passed up to userspace to deal with.
|
|
|
|
*/
|
2018-07-25 20:53:33 +08:00
|
|
|
static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb)
|
2010-04-02 14:18:49 +08:00
|
|
|
{
|
|
|
|
struct l2tp_session *session = NULL;
|
|
|
|
unsigned char *ptr, *optr;
|
|
|
|
u16 hdrflags;
|
|
|
|
u32 tunnel_id, session_id;
|
|
|
|
u16 version;
|
|
|
|
int length;
|
|
|
|
|
2014-05-08 07:52:48 +08:00
|
|
|
/* UDP has verifed checksum */
|
2010-04-02 14:18:49 +08:00
|
|
|
|
|
|
|
/* UDP always verifies the packet length. */
|
|
|
|
__skb_pull(skb, sizeof(struct udphdr));
|
|
|
|
|
|
|
|
/* Short packet? */
|
2019-01-31 15:18:56 +08:00
|
|
|
if (!pskb_may_pull(skb, L2TP_HDR_SIZE_MAX)) {
|
2020-08-22 22:59:03 +08:00
|
|
|
pr_warn_ratelimited("%s: recv short packet (len=%d)\n",
|
|
|
|
tunnel->name, skb->len);
|
2010-04-02 14:18:49 +08:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
2011-11-09 02:59:44 +08:00
|
|
|
/* Point to L2TP header */
|
2020-07-24 23:31:49 +08:00
|
|
|
optr = skb->data;
|
|
|
|
ptr = skb->data;
|
2011-11-09 02:59:44 +08:00
|
|
|
|
2010-04-02 14:18:49 +08:00
|
|
|
/* Get L2TP header flags */
|
2020-07-23 00:32:05 +08:00
|
|
|
hdrflags = ntohs(*(__be16 *)ptr);
|
2010-04-02 14:18:49 +08:00
|
|
|
|
|
|
|
/* Check protocol version */
|
|
|
|
version = hdrflags & L2TP_HDR_VER_MASK;
|
|
|
|
if (version != tunnel->version) {
|
2020-08-22 22:59:03 +08:00
|
|
|
pr_warn_ratelimited("%s: recv protocol version mismatch: got %d expected %d\n",
|
|
|
|
tunnel->name, version, tunnel->version);
|
2010-04-02 14:18:49 +08:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Get length of L2TP packet */
|
|
|
|
length = skb->len;
|
|
|
|
|
|
|
|
/* If type is control packet, it is handled by userspace. */
|
2020-08-22 22:59:01 +08:00
|
|
|
if (hdrflags & L2TP_HDRFLAG_T)
|
2010-04-02 14:18:49 +08:00
|
|
|
goto error;
|
|
|
|
|
|
|
|
/* Skip flags */
|
|
|
|
ptr += 2;
|
|
|
|
|
|
|
|
if (tunnel->version == L2TP_HDR_VER_2) {
|
|
|
|
/* If length is present, skip it */
|
|
|
|
if (hdrflags & L2TP_HDRFLAG_L)
|
|
|
|
ptr += 2;
|
|
|
|
|
|
|
|
/* Extract tunnel and session ID */
|
2020-07-23 00:32:05 +08:00
|
|
|
tunnel_id = ntohs(*(__be16 *)ptr);
|
2010-04-02 14:18:49 +08:00
|
|
|
ptr += 2;
|
2020-07-23 00:32:05 +08:00
|
|
|
session_id = ntohs(*(__be16 *)ptr);
|
2010-04-02 14:18:49 +08:00
|
|
|
ptr += 2;
|
|
|
|
} else {
|
|
|
|
ptr += 2; /* skip reserved bits */
|
|
|
|
tunnel_id = tunnel->tunnel_id;
|
2020-07-23 00:32:05 +08:00
|
|
|
session_id = ntohl(*(__be32 *)ptr);
|
2010-04-02 14:18:49 +08:00
|
|
|
ptr += 4;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Find the session context */
|
2018-08-10 19:21:57 +08:00
|
|
|
session = l2tp_tunnel_get_session(tunnel, session_id);
|
2010-04-02 14:19:10 +08:00
|
|
|
if (!session || !session->recv_skb) {
|
2017-11-01 00:36:42 +08:00
|
|
|
if (session)
|
2017-03-31 19:02:25 +08:00
|
|
|
l2tp_session_dec_refcount(session);
|
|
|
|
|
2010-04-02 14:18:49 +08:00
|
|
|
/* Not found? Pass to userspace to deal with */
|
2020-08-22 22:59:03 +08:00
|
|
|
pr_warn_ratelimited("%s: no session found (%u/%u). Passing up.\n",
|
|
|
|
tunnel->name, tunnel_id, session_id);
|
2010-04-02 14:18:49 +08:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
2019-01-30 14:55:14 +08:00
|
|
|
if (tunnel->version == L2TP_HDR_VER_3 &&
|
|
|
|
l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
|
|
|
|
goto error;
|
|
|
|
|
2018-07-25 20:53:33 +08:00
|
|
|
l2tp_recv_common(session, skb, ptr, optr, hdrflags, length);
|
2017-03-31 19:02:25 +08:00
|
|
|
l2tp_session_dec_refcount(session);
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
error:
|
|
|
|
/* Put UDP header back */
|
|
|
|
__skb_push(skb, sizeof(struct udphdr));
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* UDP encapsulation receive handler. See net/ipv4/udp.c.
|
|
|
|
* Return codes:
|
|
|
|
* 0 : success.
|
|
|
|
* <0: error
|
|
|
|
* >0: skb should be passed up to userspace as UDP.
|
|
|
|
*/
|
|
|
|
int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
struct l2tp_tunnel *tunnel;
|
|
|
|
|
2020-09-03 16:54:51 +08:00
|
|
|
/* Note that this is called from the encap_rcv hook inside an
|
|
|
|
* RCU-protected region, but without the socket being locked.
|
|
|
|
* Hence we use rcu_dereference_sk_user_data to access the
|
|
|
|
* tunnel data structure rather the usual l2tp_sk_to_tunnel
|
|
|
|
* accessor function.
|
|
|
|
*/
|
2019-04-24 00:43:26 +08:00
|
|
|
tunnel = rcu_dereference_sk_user_data(sk);
|
2020-07-23 19:29:50 +08:00
|
|
|
if (!tunnel)
|
2010-04-02 14:18:33 +08:00
|
|
|
goto pass_up;
|
2020-09-03 16:54:51 +08:00
|
|
|
if (WARN_ON(tunnel->magic != L2TP_TUNNEL_MAGIC))
|
|
|
|
goto pass_up;
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2018-07-25 20:53:33 +08:00
|
|
|
if (l2tp_udp_recv_core(tunnel, skb))
|
l2tp: fix races with tunnel socket close
The tunnel socket tunnel->sock (struct sock) is accessed when
preparing a new ppp session on a tunnel at pppol2tp_session_init. If
the socket is closed by a thread while another is creating a new
session, the threads race. In pppol2tp_connect, the tunnel object may
be created if the pppol2tp socket is associated with the special
session_id 0 and the tunnel socket is looked up using the provided
fd. When handling this, pppol2tp_connect cannot sock_hold the tunnel
socket to prevent it being destroyed during pppol2tp_connect since
this may itself may race with the socket being destroyed. Doing
sockfd_lookup in pppol2tp_connect isn't sufficient to prevent
tunnel->sock going away either because a given tunnel socket fd may be
reused between calls to pppol2tp_connect. Instead, have
l2tp_tunnel_create sock_hold the tunnel socket before it does
sockfd_put. This ensures that the tunnel's socket is always extant
while the tunnel object exists. Hold a ref on the socket until the
tunnel is destroyed and ensure that all tunnel destroy paths go
through a common function (l2tp_tunnel_delete) since this will do the
final sock_put to release the tunnel socket.
Since the tunnel's socket is now guaranteed to exist if the tunnel
exists, we no longer need to use sockfd_lookup via l2tp_sock_to_tunnel
to derive the tunnel from the socket since this is always
sk_user_data.
Also, sessions no longer sock_hold the tunnel socket since sessions
already hold a tunnel ref and the tunnel sock will not be freed until
the tunnel is freed. Removing these sock_holds in
l2tp_session_register avoids a possible sock leak in the
pppol2tp_connect error path if l2tp_session_register succeeds but
attaching a ppp channel fails. The pppol2tp_connect error path could
have been fixed instead and have the sock ref dropped when the session
is freed, but doing a sock_put of the tunnel socket when the session
is freed would require a new session_free callback. It is simpler to
just remove the sock_hold of the tunnel socket in
l2tp_session_register, now that the tunnel socket lifetime is
guaranteed.
Finally, some init code in l2tp_tunnel_create is reordered to ensure
that the new tunnel object's refcount is set and the tunnel socket ref
is taken before the tunnel socket destructor callbacks are set.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 4360 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #34
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
RIP: 0010:pppol2tp_session_init+0x1d6/0x500
RSP: 0018:ffff88001377fb40 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88001636a940 RCX: ffffffff84836c1d
RDX: 0000000000000045 RSI: 0000000055976744 RDI: 0000000000000228
RBP: ffff88001377fb60 R08: ffffffff84836bc8 R09: 0000000000000002
R10: ffff88001377fab8 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88001636aac8 R14: ffff8800160f81c0 R15: 1ffff100026eff76
FS: 00007ffb3ea66700(0000) GS:ffff88001a400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020e77000 CR3: 0000000016261000 CR4: 00000000000006f0
Call Trace:
pppol2tp_connect+0xd18/0x13c0
? pppol2tp_session_create+0x170/0x170
? __might_fault+0x115/0x1d0
? lock_downgrade+0x860/0x860
? __might_fault+0xe5/0x1d0
? security_socket_connect+0x8e/0xc0
SYSC_connect+0x1b6/0x310
? SYSC_bind+0x280/0x280
? __do_page_fault+0x5d1/0xca0
? up_read+0x1f/0x40
? __do_page_fault+0x3c8/0xca0
SyS_connect+0x29/0x30
? SyS_accept+0x40/0x40
do_syscall_64+0x1e0/0x730
? trace_hardirqs_off_thunk+0x1a/0x1c
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7ffb3e376259
RSP: 002b:00007ffeda4f6508 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020e77012 RCX: 00007ffb3e376259
RDX: 000000000000002e RSI: 0000000020e77000 RDI: 0000000000000004
RBP: 00007ffeda4f6540 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60
R13: 00007ffeda4f6660 R14: 0000000000000000 R15: 0000000000000000
Code: 80 3d b0 ff 06 02 00 0f 84 07 02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f
a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16
Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace close")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-02-24 01:45:45 +08:00
|
|
|
goto pass_up;
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
pass_up:
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
|
|
|
|
|
|
|
|
/************************************************************************
|
|
|
|
* Transmit handling
|
|
|
|
***********************************************************************/
|
|
|
|
|
|
|
|
/* Build an L2TP header for the session into the buffer provided.
|
|
|
|
*/
|
2010-04-02 14:18:49 +08:00
|
|
|
static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
|
2010-04-02 14:18:33 +08:00
|
|
|
{
|
2010-04-02 14:18:49 +08:00
|
|
|
struct l2tp_tunnel *tunnel = session->tunnel;
|
2010-04-02 14:18:33 +08:00
|
|
|
__be16 *bufp = buf;
|
2010-04-02 14:18:49 +08:00
|
|
|
__be16 *optr = buf;
|
2010-04-02 14:18:33 +08:00
|
|
|
u16 flags = L2TP_HDR_VER_2;
|
|
|
|
u32 tunnel_id = tunnel->peer_tunnel_id;
|
|
|
|
u32 session_id = session->peer_session_id;
|
|
|
|
|
|
|
|
if (session->send_seq)
|
|
|
|
flags |= L2TP_HDRFLAG_S;
|
|
|
|
|
|
|
|
/* Setup L2TP header. */
|
|
|
|
*bufp++ = htons(flags);
|
|
|
|
*bufp++ = htons(tunnel_id);
|
|
|
|
*bufp++ = htons(session_id);
|
|
|
|
if (session->send_seq) {
|
|
|
|
*bufp++ = htons(session->ns);
|
|
|
|
*bufp++ = 0;
|
|
|
|
session->ns++;
|
2010-04-02 14:18:49 +08:00
|
|
|
session->ns &= 0xffff;
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_session_seqnum_update(session);
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
2010-04-02 14:18:49 +08:00
|
|
|
|
|
|
|
return bufp - optr;
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
|
|
|
|
2010-04-02 14:18:49 +08:00
|
|
|
static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
|
2010-04-02 14:18:33 +08:00
|
|
|
{
|
2010-04-02 14:19:00 +08:00
|
|
|
struct l2tp_tunnel *tunnel = session->tunnel;
|
2010-04-02 14:18:49 +08:00
|
|
|
char *bufp = buf;
|
|
|
|
char *optr = bufp;
|
|
|
|
|
2010-04-02 14:19:00 +08:00
|
|
|
/* Setup L2TP header. The header differs slightly for UDP and
|
|
|
|
* IP encapsulations. For UDP, there is 4 bytes of flags.
|
|
|
|
*/
|
|
|
|
if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
|
|
|
|
u16 flags = L2TP_HDR_VER_3;
|
2020-07-23 00:32:05 +08:00
|
|
|
*((__be16 *)bufp) = htons(flags);
|
2010-04-02 14:19:00 +08:00
|
|
|
bufp += 2;
|
2020-07-23 00:32:05 +08:00
|
|
|
*((__be16 *)bufp) = 0;
|
2010-04-02 14:19:00 +08:00
|
|
|
bufp += 2;
|
|
|
|
}
|
|
|
|
|
2020-07-23 00:32:05 +08:00
|
|
|
*((__be32 *)bufp) = htonl(session->peer_session_id);
|
2010-04-02 14:18:49 +08:00
|
|
|
bufp += 4;
|
|
|
|
if (session->cookie_len) {
|
|
|
|
memcpy(bufp, &session->cookie[0], session->cookie_len);
|
|
|
|
bufp += session->cookie_len;
|
|
|
|
}
|
2018-01-17 06:01:55 +08:00
|
|
|
if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
|
|
|
|
u32 l2h = 0;
|
2010-04-02 14:18:49 +08:00
|
|
|
|
2018-01-17 06:01:55 +08:00
|
|
|
if (session->send_seq) {
|
|
|
|
l2h = 0x40000000 | session->ns;
|
|
|
|
session->ns++;
|
|
|
|
session->ns &= 0xffffff;
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_session_seqnum_update(session);
|
2010-04-02 14:18:49 +08:00
|
|
|
}
|
2018-01-17 06:01:55 +08:00
|
|
|
|
|
|
|
*((__be32 *)bufp) = htonl(l2h);
|
|
|
|
bufp += 4;
|
2010-04-02 14:18:49 +08:00
|
|
|
}
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2010-04-02 14:18:49 +08:00
|
|
|
return bufp - optr;
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
|
|
|
|
2020-09-03 16:54:50 +08:00
|
|
|
/* Queue the packet to IP for output: tunnel socket lock must be held */
|
|
|
|
static int l2tp_xmit_queue(struct l2tp_tunnel *tunnel, struct sk_buff *skb, struct flowi *fl)
|
2010-04-02 14:18:33 +08:00
|
|
|
{
|
2020-09-03 16:54:50 +08:00
|
|
|
int err;
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2014-05-05 07:39:18 +08:00
|
|
|
skb->ignore_df = 1;
|
2020-07-07 02:02:32 +08:00
|
|
|
skb_dst_drop(skb);
|
2012-04-27 16:24:18 +08:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2018-03-12 21:54:24 +08:00
|
|
|
if (l2tp_sk_is_v6(tunnel->sock))
|
2020-09-03 16:54:50 +08:00
|
|
|
err = inet6_csk_xmit(tunnel->sock, skb, NULL);
|
2012-04-27 16:24:18 +08:00
|
|
|
else
|
|
|
|
#endif
|
2020-09-03 16:54:50 +08:00
|
|
|
err = ip_queue_xmit(tunnel->sock, skb, fl);
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2020-09-03 16:54:50 +08:00
|
|
|
return err >= 0 ? NET_XMIT_SUCCESS : NET_XMIT_DROP;
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
|
|
|
|
2020-09-03 16:54:50 +08:00
|
|
|
static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb)
|
2010-04-02 14:18:33 +08:00
|
|
|
{
|
2010-04-02 14:19:00 +08:00
|
|
|
struct l2tp_tunnel *tunnel = session->tunnel;
|
2020-09-03 16:54:50 +08:00
|
|
|
unsigned int data_len = skb->len;
|
2010-04-02 14:19:00 +08:00
|
|
|
struct sock *sk = tunnel->sock;
|
2020-09-03 16:54:50 +08:00
|
|
|
int headroom, uhlen, udp_len;
|
2012-06-29 04:15:13 +08:00
|
|
|
int ret = NET_XMIT_SUCCESS;
|
2020-09-03 16:54:50 +08:00
|
|
|
struct inet_sock *inet;
|
|
|
|
struct udphdr *uh;
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
/* Check that there's enough headroom in the skb to insert IP,
|
|
|
|
* UDP and L2TP headers. If not enough, expand it to
|
|
|
|
* make room. Adjust truesize.
|
|
|
|
*/
|
2020-09-03 16:54:50 +08:00
|
|
|
uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(*uh) : 0;
|
|
|
|
headroom = NET_SKB_PAD + sizeof(struct iphdr) + uhlen + session->hdr_len;
|
2011-10-07 13:35:46 +08:00
|
|
|
if (skb_cow_head(skb, headroom)) {
|
2012-06-29 04:15:13 +08:00
|
|
|
kfree_skb(skb);
|
|
|
|
return NET_XMIT_DROP;
|
2011-10-07 13:35:46 +08:00
|
|
|
}
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
/* Setup L2TP header */
|
2020-07-29 01:20:31 +08:00
|
|
|
if (tunnel->version == L2TP_HDR_VER_2)
|
2020-09-03 16:54:47 +08:00
|
|
|
l2tp_build_l2tpv2_header(session, __skb_push(skb, session->hdr_len));
|
2020-07-29 01:20:31 +08:00
|
|
|
else
|
2020-09-03 16:54:47 +08:00
|
|
|
l2tp_build_l2tpv3_header(session, __skb_push(skb, session->hdr_len));
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2010-04-02 14:19:00 +08:00
|
|
|
/* Reset skb netfilter state */
|
2010-04-02 14:18:33 +08:00
|
|
|
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
|
2020-09-03 16:54:50 +08:00
|
|
|
IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | IPSKB_REROUTED);
|
2019-09-30 02:54:03 +08:00
|
|
|
nf_reset_ct(skb);
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2011-05-09 04:45:20 +08:00
|
|
|
bh_lock_sock(sk);
|
|
|
|
if (sock_owned_by_user(sk)) {
|
2012-06-29 04:15:13 +08:00
|
|
|
kfree_skb(skb);
|
|
|
|
ret = NET_XMIT_DROP;
|
2011-05-09 04:45:20 +08:00
|
|
|
goto out_unlock;
|
|
|
|
}
|
|
|
|
|
2018-03-12 21:54:24 +08:00
|
|
|
/* The user-space may change the connection status for the user-space
|
|
|
|
* provided socket at run time: we must check it under the socket lock
|
|
|
|
*/
|
|
|
|
if (tunnel->fd >= 0 && sk->sk_state != TCP_ESTABLISHED) {
|
|
|
|
kfree_skb(skb);
|
|
|
|
ret = NET_XMIT_DROP;
|
|
|
|
goto out_unlock;
|
|
|
|
}
|
|
|
|
|
2011-05-07 13:23:20 +08:00
|
|
|
inet = inet_sk(sk);
|
2010-04-02 14:19:00 +08:00
|
|
|
switch (tunnel->encap) {
|
|
|
|
case L2TP_ENCAPTYPE_UDP:
|
|
|
|
/* Setup UDP header */
|
|
|
|
__skb_push(skb, sizeof(*uh));
|
|
|
|
skb_reset_transport_header(skb);
|
|
|
|
uh = udp_hdr(skb);
|
|
|
|
uh->source = inet->inet_sport;
|
|
|
|
uh->dest = inet->inet_dport;
|
2020-09-03 16:54:47 +08:00
|
|
|
udp_len = uhlen + session->hdr_len + data_len;
|
2010-04-02 14:19:00 +08:00
|
|
|
uh->len = htons(udp_len);
|
|
|
|
|
|
|
|
/* Calculate UDP checksum if configured to do so */
|
2012-04-27 16:24:18 +08:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2018-03-12 21:54:24 +08:00
|
|
|
if (l2tp_sk_is_v6(sk))
|
2014-06-05 08:19:56 +08:00
|
|
|
udp6_set_csum(udp_get_no_check6_tx(sk),
|
|
|
|
skb, &inet6_sk(sk)->saddr,
|
|
|
|
&sk->sk_v6_daddr, udp_len);
|
2012-04-27 16:24:18 +08:00
|
|
|
else
|
|
|
|
#endif
|
2020-07-23 00:32:09 +08:00
|
|
|
udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
|
|
|
|
inet->inet_daddr, udp_len);
|
2010-04-02 14:19:00 +08:00
|
|
|
break;
|
|
|
|
|
|
|
|
case L2TP_ENCAPTYPE_IP:
|
|
|
|
break;
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
|
|
|
|
2020-09-03 16:54:50 +08:00
|
|
|
ret = l2tp_xmit_queue(tunnel, skb, &inet->cork.fl);
|
|
|
|
|
2011-05-09 04:45:20 +08:00
|
|
|
out_unlock:
|
|
|
|
bh_unlock_sock(sk);
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2012-06-29 04:15:13 +08:00
|
|
|
return ret;
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
2020-09-03 16:54:50 +08:00
|
|
|
|
|
|
|
/* If caller requires the skb to have a ppp header, the header must be
|
|
|
|
* inserted in the skb data before calling this function.
|
|
|
|
*/
|
|
|
|
int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
unsigned int len = skb->len;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
ret = l2tp_xmit_core(session, skb);
|
|
|
|
if (ret == NET_XMIT_SUCCESS) {
|
|
|
|
atomic_long_inc(&session->tunnel->stats.tx_packets);
|
|
|
|
atomic_long_add(len, &session->tunnel->stats.tx_bytes);
|
|
|
|
atomic_long_inc(&session->stats.tx_packets);
|
|
|
|
atomic_long_add(len, &session->stats.tx_bytes);
|
|
|
|
} else {
|
|
|
|
atomic_long_inc(&session->tunnel->stats.tx_errors);
|
|
|
|
atomic_long_inc(&session->stats.tx_errors);
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
2010-04-02 14:18:33 +08:00
|
|
|
EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
|
|
|
|
|
|
|
|
/*****************************************************************************
|
|
|
|
* Tinnel and session create/destroy.
|
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
/* Tunnel socket destruct hook.
|
|
|
|
* The tunnel context is deleted only when all session sockets have been
|
|
|
|
* closed.
|
|
|
|
*/
|
2010-10-21 15:50:46 +08:00
|
|
|
static void l2tp_tunnel_destruct(struct sock *sk)
|
2010-04-02 14:18:33 +08:00
|
|
|
{
|
2020-09-03 16:54:51 +08:00
|
|
|
struct l2tp_tunnel *tunnel = l2tp_sk_to_tunnel(sk);
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2020-07-23 19:29:50 +08:00
|
|
|
if (!tunnel)
|
2010-04-02 14:18:33 +08:00
|
|
|
goto end;
|
|
|
|
|
2013-02-01 07:43:00 +08:00
|
|
|
/* Disable udp encapsulation */
|
2010-04-02 14:19:00 +08:00
|
|
|
switch (tunnel->encap) {
|
|
|
|
case L2TP_ENCAPTYPE_UDP:
|
|
|
|
/* No longer an encapsulation socket. See net/ipv4/udp.c */
|
|
|
|
(udp_sk(sk))->encap_type = 0;
|
|
|
|
(udp_sk(sk))->encap_rcv = NULL;
|
2013-03-19 14:11:13 +08:00
|
|
|
(udp_sk(sk))->encap_destroy = NULL;
|
2010-04-02 14:19:00 +08:00
|
|
|
break;
|
|
|
|
case L2TP_ENCAPTYPE_IP:
|
|
|
|
break;
|
|
|
|
}
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
/* Remove hooks into tunnel socket */
|
|
|
|
sk->sk_destruct = tunnel->old_sk_destruct;
|
|
|
|
sk->sk_user_data = NULL;
|
|
|
|
|
2013-02-01 07:43:00 +08:00
|
|
|
/* Call the original destructor */
|
|
|
|
if (sk->sk_destruct)
|
|
|
|
(*sk->sk_destruct)(sk);
|
l2tp: fix races with tunnel socket close
The tunnel socket tunnel->sock (struct sock) is accessed when
preparing a new ppp session on a tunnel at pppol2tp_session_init. If
the socket is closed by a thread while another is creating a new
session, the threads race. In pppol2tp_connect, the tunnel object may
be created if the pppol2tp socket is associated with the special
session_id 0 and the tunnel socket is looked up using the provided
fd. When handling this, pppol2tp_connect cannot sock_hold the tunnel
socket to prevent it being destroyed during pppol2tp_connect since
this may itself may race with the socket being destroyed. Doing
sockfd_lookup in pppol2tp_connect isn't sufficient to prevent
tunnel->sock going away either because a given tunnel socket fd may be
reused between calls to pppol2tp_connect. Instead, have
l2tp_tunnel_create sock_hold the tunnel socket before it does
sockfd_put. This ensures that the tunnel's socket is always extant
while the tunnel object exists. Hold a ref on the socket until the
tunnel is destroyed and ensure that all tunnel destroy paths go
through a common function (l2tp_tunnel_delete) since this will do the
final sock_put to release the tunnel socket.
Since the tunnel's socket is now guaranteed to exist if the tunnel
exists, we no longer need to use sockfd_lookup via l2tp_sock_to_tunnel
to derive the tunnel from the socket since this is always
sk_user_data.
Also, sessions no longer sock_hold the tunnel socket since sessions
already hold a tunnel ref and the tunnel sock will not be freed until
the tunnel is freed. Removing these sock_holds in
l2tp_session_register avoids a possible sock leak in the
pppol2tp_connect error path if l2tp_session_register succeeds but
attaching a ppp channel fails. The pppol2tp_connect error path could
have been fixed instead and have the sock ref dropped when the session
is freed, but doing a sock_put of the tunnel socket when the session
is freed would require a new session_free callback. It is simpler to
just remove the sock_hold of the tunnel socket in
l2tp_session_register, now that the tunnel socket lifetime is
guaranteed.
Finally, some init code in l2tp_tunnel_create is reordered to ensure
that the new tunnel object's refcount is set and the tunnel socket ref
is taken before the tunnel socket destructor callbacks are set.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 4360 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #34
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
RIP: 0010:pppol2tp_session_init+0x1d6/0x500
RSP: 0018:ffff88001377fb40 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88001636a940 RCX: ffffffff84836c1d
RDX: 0000000000000045 RSI: 0000000055976744 RDI: 0000000000000228
RBP: ffff88001377fb60 R08: ffffffff84836bc8 R09: 0000000000000002
R10: ffff88001377fab8 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88001636aac8 R14: ffff8800160f81c0 R15: 1ffff100026eff76
FS: 00007ffb3ea66700(0000) GS:ffff88001a400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020e77000 CR3: 0000000016261000 CR4: 00000000000006f0
Call Trace:
pppol2tp_connect+0xd18/0x13c0
? pppol2tp_session_create+0x170/0x170
? __might_fault+0x115/0x1d0
? lock_downgrade+0x860/0x860
? __might_fault+0xe5/0x1d0
? security_socket_connect+0x8e/0xc0
SYSC_connect+0x1b6/0x310
? SYSC_bind+0x280/0x280
? __do_page_fault+0x5d1/0xca0
? up_read+0x1f/0x40
? __do_page_fault+0x3c8/0xca0
SyS_connect+0x29/0x30
? SyS_accept+0x40/0x40
do_syscall_64+0x1e0/0x730
? trace_hardirqs_off_thunk+0x1a/0x1c
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7ffb3e376259
RSP: 002b:00007ffeda4f6508 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020e77012 RCX: 00007ffb3e376259
RDX: 000000000000002e RSI: 0000000020e77000 RDI: 0000000000000004
RBP: 00007ffeda4f6540 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60
R13: 00007ffeda4f6660 R14: 0000000000000000 R15: 0000000000000000
Code: 80 3d b0 ff 06 02 00 0f 84 07 02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f
a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16
Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace close")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-02-24 01:45:45 +08:00
|
|
|
|
|
|
|
kfree_rcu(tunnel, rcu);
|
2010-04-02 14:18:33 +08:00
|
|
|
end:
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2020-07-29 01:20:28 +08:00
|
|
|
/* Remove an l2tp session from l2tp_core's hash lists. */
|
|
|
|
static void l2tp_session_unhash(struct l2tp_session *session)
|
|
|
|
{
|
|
|
|
struct l2tp_tunnel *tunnel = session->tunnel;
|
|
|
|
|
|
|
|
/* Remove the session from core hashes */
|
|
|
|
if (tunnel) {
|
|
|
|
/* Remove from the per-tunnel hash */
|
|
|
|
write_lock_bh(&tunnel->hlist_lock);
|
|
|
|
hlist_del_init(&session->hlist);
|
|
|
|
write_unlock_bh(&tunnel->hlist_lock);
|
|
|
|
|
|
|
|
/* For L2TPv3 we have a per-net hash: remove from there, too */
|
|
|
|
if (tunnel->version != L2TP_HDR_VER_2) {
|
|
|
|
struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
|
|
|
|
|
|
|
|
spin_lock_bh(&pn->l2tp_session_hlist_lock);
|
|
|
|
hlist_del_init_rcu(&session->global_hlist);
|
|
|
|
spin_unlock_bh(&pn->l2tp_session_hlist_lock);
|
|
|
|
synchronize_rcu();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-04-02 14:18:33 +08:00
|
|
|
/* When the tunnel is closed, all the attached sessions need to go too.
|
|
|
|
*/
|
2018-06-25 22:07:23 +08:00
|
|
|
static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
|
2010-04-02 14:18:33 +08:00
|
|
|
{
|
|
|
|
int hash;
|
|
|
|
struct hlist_node *walk;
|
|
|
|
struct hlist_node *tmp;
|
|
|
|
struct l2tp_session *session;
|
|
|
|
|
|
|
|
write_lock_bh(&tunnel->hlist_lock);
|
2017-09-01 23:58:48 +08:00
|
|
|
tunnel->acpt_newsess = false;
|
2010-04-02 14:18:33 +08:00
|
|
|
for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
|
|
|
|
again:
|
|
|
|
hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
|
|
|
|
session = hlist_entry(walk, struct l2tp_session, hlist);
|
|
|
|
hlist_del_init(&session->hlist);
|
|
|
|
|
|
|
|
write_unlock_bh(&tunnel->hlist_lock);
|
2020-09-03 16:54:52 +08:00
|
|
|
l2tp_session_delete(session);
|
2010-04-02 14:18:33 +08:00
|
|
|
write_lock_bh(&tunnel->hlist_lock);
|
|
|
|
|
|
|
|
/* Now restart from the beginning of this hash
|
|
|
|
* chain. We always remove a session from the
|
|
|
|
* list so we are guaranteed to make forward
|
|
|
|
* progress.
|
|
|
|
*/
|
|
|
|
goto again;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
write_unlock_bh(&tunnel->hlist_lock);
|
|
|
|
}
|
|
|
|
|
2013-03-19 14:11:13 +08:00
|
|
|
/* Tunnel socket destroy hook for UDP encapsulation */
|
|
|
|
static void l2tp_udp_encap_destroy(struct sock *sk)
|
|
|
|
{
|
2020-09-03 16:54:51 +08:00
|
|
|
struct l2tp_tunnel *tunnel = l2tp_sk_to_tunnel(sk);
|
l2tp: fix races with tunnel socket close
The tunnel socket tunnel->sock (struct sock) is accessed when
preparing a new ppp session on a tunnel at pppol2tp_session_init. If
the socket is closed by a thread while another is creating a new
session, the threads race. In pppol2tp_connect, the tunnel object may
be created if the pppol2tp socket is associated with the special
session_id 0 and the tunnel socket is looked up using the provided
fd. When handling this, pppol2tp_connect cannot sock_hold the tunnel
socket to prevent it being destroyed during pppol2tp_connect since
this may itself may race with the socket being destroyed. Doing
sockfd_lookup in pppol2tp_connect isn't sufficient to prevent
tunnel->sock going away either because a given tunnel socket fd may be
reused between calls to pppol2tp_connect. Instead, have
l2tp_tunnel_create sock_hold the tunnel socket before it does
sockfd_put. This ensures that the tunnel's socket is always extant
while the tunnel object exists. Hold a ref on the socket until the
tunnel is destroyed and ensure that all tunnel destroy paths go
through a common function (l2tp_tunnel_delete) since this will do the
final sock_put to release the tunnel socket.
Since the tunnel's socket is now guaranteed to exist if the tunnel
exists, we no longer need to use sockfd_lookup via l2tp_sock_to_tunnel
to derive the tunnel from the socket since this is always
sk_user_data.
Also, sessions no longer sock_hold the tunnel socket since sessions
already hold a tunnel ref and the tunnel sock will not be freed until
the tunnel is freed. Removing these sock_holds in
l2tp_session_register avoids a possible sock leak in the
pppol2tp_connect error path if l2tp_session_register succeeds but
attaching a ppp channel fails. The pppol2tp_connect error path could
have been fixed instead and have the sock ref dropped when the session
is freed, but doing a sock_put of the tunnel socket when the session
is freed would require a new session_free callback. It is simpler to
just remove the sock_hold of the tunnel socket in
l2tp_session_register, now that the tunnel socket lifetime is
guaranteed.
Finally, some init code in l2tp_tunnel_create is reordered to ensure
that the new tunnel object's refcount is set and the tunnel socket ref
is taken before the tunnel socket destructor callbacks are set.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 4360 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #34
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
RIP: 0010:pppol2tp_session_init+0x1d6/0x500
RSP: 0018:ffff88001377fb40 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88001636a940 RCX: ffffffff84836c1d
RDX: 0000000000000045 RSI: 0000000055976744 RDI: 0000000000000228
RBP: ffff88001377fb60 R08: ffffffff84836bc8 R09: 0000000000000002
R10: ffff88001377fab8 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88001636aac8 R14: ffff8800160f81c0 R15: 1ffff100026eff76
FS: 00007ffb3ea66700(0000) GS:ffff88001a400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020e77000 CR3: 0000000016261000 CR4: 00000000000006f0
Call Trace:
pppol2tp_connect+0xd18/0x13c0
? pppol2tp_session_create+0x170/0x170
? __might_fault+0x115/0x1d0
? lock_downgrade+0x860/0x860
? __might_fault+0xe5/0x1d0
? security_socket_connect+0x8e/0xc0
SYSC_connect+0x1b6/0x310
? SYSC_bind+0x280/0x280
? __do_page_fault+0x5d1/0xca0
? up_read+0x1f/0x40
? __do_page_fault+0x3c8/0xca0
SyS_connect+0x29/0x30
? SyS_accept+0x40/0x40
do_syscall_64+0x1e0/0x730
? trace_hardirqs_off_thunk+0x1a/0x1c
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7ffb3e376259
RSP: 002b:00007ffeda4f6508 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020e77012 RCX: 00007ffb3e376259
RDX: 000000000000002e RSI: 0000000020e77000 RDI: 0000000000000004
RBP: 00007ffeda4f6540 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60
R13: 00007ffeda4f6660 R14: 0000000000000000 R15: 0000000000000000
Code: 80 3d b0 ff 06 02 00 0f 84 07 02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f
a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16
Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace close")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-02-24 01:45:45 +08:00
|
|
|
|
|
|
|
if (tunnel)
|
|
|
|
l2tp_tunnel_delete(tunnel);
|
2013-03-19 14:11:13 +08:00
|
|
|
}
|
|
|
|
|
2013-02-01 07:43:00 +08:00
|
|
|
/* Workqueue tunnel deletion function */
|
|
|
|
static void l2tp_tunnel_del_work(struct work_struct *work)
|
|
|
|
{
|
l2tp: fix races with tunnel socket close
The tunnel socket tunnel->sock (struct sock) is accessed when
preparing a new ppp session on a tunnel at pppol2tp_session_init. If
the socket is closed by a thread while another is creating a new
session, the threads race. In pppol2tp_connect, the tunnel object may
be created if the pppol2tp socket is associated with the special
session_id 0 and the tunnel socket is looked up using the provided
fd. When handling this, pppol2tp_connect cannot sock_hold the tunnel
socket to prevent it being destroyed during pppol2tp_connect since
this may itself may race with the socket being destroyed. Doing
sockfd_lookup in pppol2tp_connect isn't sufficient to prevent
tunnel->sock going away either because a given tunnel socket fd may be
reused between calls to pppol2tp_connect. Instead, have
l2tp_tunnel_create sock_hold the tunnel socket before it does
sockfd_put. This ensures that the tunnel's socket is always extant
while the tunnel object exists. Hold a ref on the socket until the
tunnel is destroyed and ensure that all tunnel destroy paths go
through a common function (l2tp_tunnel_delete) since this will do the
final sock_put to release the tunnel socket.
Since the tunnel's socket is now guaranteed to exist if the tunnel
exists, we no longer need to use sockfd_lookup via l2tp_sock_to_tunnel
to derive the tunnel from the socket since this is always
sk_user_data.
Also, sessions no longer sock_hold the tunnel socket since sessions
already hold a tunnel ref and the tunnel sock will not be freed until
the tunnel is freed. Removing these sock_holds in
l2tp_session_register avoids a possible sock leak in the
pppol2tp_connect error path if l2tp_session_register succeeds but
attaching a ppp channel fails. The pppol2tp_connect error path could
have been fixed instead and have the sock ref dropped when the session
is freed, but doing a sock_put of the tunnel socket when the session
is freed would require a new session_free callback. It is simpler to
just remove the sock_hold of the tunnel socket in
l2tp_session_register, now that the tunnel socket lifetime is
guaranteed.
Finally, some init code in l2tp_tunnel_create is reordered to ensure
that the new tunnel object's refcount is set and the tunnel socket ref
is taken before the tunnel socket destructor callbacks are set.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 4360 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #34
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
RIP: 0010:pppol2tp_session_init+0x1d6/0x500
RSP: 0018:ffff88001377fb40 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88001636a940 RCX: ffffffff84836c1d
RDX: 0000000000000045 RSI: 0000000055976744 RDI: 0000000000000228
RBP: ffff88001377fb60 R08: ffffffff84836bc8 R09: 0000000000000002
R10: ffff88001377fab8 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88001636aac8 R14: ffff8800160f81c0 R15: 1ffff100026eff76
FS: 00007ffb3ea66700(0000) GS:ffff88001a400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020e77000 CR3: 0000000016261000 CR4: 00000000000006f0
Call Trace:
pppol2tp_connect+0xd18/0x13c0
? pppol2tp_session_create+0x170/0x170
? __might_fault+0x115/0x1d0
? lock_downgrade+0x860/0x860
? __might_fault+0xe5/0x1d0
? security_socket_connect+0x8e/0xc0
SYSC_connect+0x1b6/0x310
? SYSC_bind+0x280/0x280
? __do_page_fault+0x5d1/0xca0
? up_read+0x1f/0x40
? __do_page_fault+0x3c8/0xca0
SyS_connect+0x29/0x30
? SyS_accept+0x40/0x40
do_syscall_64+0x1e0/0x730
? trace_hardirqs_off_thunk+0x1a/0x1c
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7ffb3e376259
RSP: 002b:00007ffeda4f6508 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020e77012 RCX: 00007ffb3e376259
RDX: 000000000000002e RSI: 0000000020e77000 RDI: 0000000000000004
RBP: 00007ffeda4f6540 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60
R13: 00007ffeda4f6660 R14: 0000000000000000 R15: 0000000000000000
Code: 80 3d b0 ff 06 02 00 0f 84 07 02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f
a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16
Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace close")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-02-24 01:45:45 +08:00
|
|
|
struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
|
|
|
|
del_work);
|
|
|
|
struct sock *sk = tunnel->sock;
|
|
|
|
struct socket *sock = sk->sk_socket;
|
2018-02-24 01:45:47 +08:00
|
|
|
struct l2tp_net *pn;
|
2017-02-22 09:59:49 +08:00
|
|
|
|
|
|
|
l2tp_tunnel_closeall(tunnel);
|
|
|
|
|
2018-02-24 01:45:43 +08:00
|
|
|
/* If the tunnel socket was created within the kernel, use
|
2013-03-19 14:11:18 +08:00
|
|
|
* the sk API to release it here.
|
2013-02-01 07:43:00 +08:00
|
|
|
*/
|
2018-02-24 01:45:43 +08:00
|
|
|
if (tunnel->fd < 0) {
|
2015-05-09 10:10:31 +08:00
|
|
|
if (sock) {
|
2013-03-19 14:11:18 +08:00
|
|
|
kernel_sock_shutdown(sock, SHUT_RDWR);
|
2015-05-09 10:10:31 +08:00
|
|
|
sock_release(sock);
|
|
|
|
}
|
2013-02-01 07:43:03 +08:00
|
|
|
}
|
2013-02-01 07:43:00 +08:00
|
|
|
|
2018-02-24 01:45:47 +08:00
|
|
|
/* Remove the tunnel struct from the tunnel list */
|
|
|
|
pn = l2tp_pernet(tunnel->l2tp_net);
|
|
|
|
spin_lock_bh(&pn->l2tp_tunnel_list_lock);
|
|
|
|
list_del_rcu(&tunnel->list);
|
|
|
|
spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
|
|
|
|
|
l2tp: fix races with tunnel socket close
The tunnel socket tunnel->sock (struct sock) is accessed when
preparing a new ppp session on a tunnel at pppol2tp_session_init. If
the socket is closed by a thread while another is creating a new
session, the threads race. In pppol2tp_connect, the tunnel object may
be created if the pppol2tp socket is associated with the special
session_id 0 and the tunnel socket is looked up using the provided
fd. When handling this, pppol2tp_connect cannot sock_hold the tunnel
socket to prevent it being destroyed during pppol2tp_connect since
this may itself may race with the socket being destroyed. Doing
sockfd_lookup in pppol2tp_connect isn't sufficient to prevent
tunnel->sock going away either because a given tunnel socket fd may be
reused between calls to pppol2tp_connect. Instead, have
l2tp_tunnel_create sock_hold the tunnel socket before it does
sockfd_put. This ensures that the tunnel's socket is always extant
while the tunnel object exists. Hold a ref on the socket until the
tunnel is destroyed and ensure that all tunnel destroy paths go
through a common function (l2tp_tunnel_delete) since this will do the
final sock_put to release the tunnel socket.
Since the tunnel's socket is now guaranteed to exist if the tunnel
exists, we no longer need to use sockfd_lookup via l2tp_sock_to_tunnel
to derive the tunnel from the socket since this is always
sk_user_data.
Also, sessions no longer sock_hold the tunnel socket since sessions
already hold a tunnel ref and the tunnel sock will not be freed until
the tunnel is freed. Removing these sock_holds in
l2tp_session_register avoids a possible sock leak in the
pppol2tp_connect error path if l2tp_session_register succeeds but
attaching a ppp channel fails. The pppol2tp_connect error path could
have been fixed instead and have the sock ref dropped when the session
is freed, but doing a sock_put of the tunnel socket when the session
is freed would require a new session_free callback. It is simpler to
just remove the sock_hold of the tunnel socket in
l2tp_session_register, now that the tunnel socket lifetime is
guaranteed.
Finally, some init code in l2tp_tunnel_create is reordered to ensure
that the new tunnel object's refcount is set and the tunnel socket ref
is taken before the tunnel socket destructor callbacks are set.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 4360 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #34
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
RIP: 0010:pppol2tp_session_init+0x1d6/0x500
RSP: 0018:ffff88001377fb40 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88001636a940 RCX: ffffffff84836c1d
RDX: 0000000000000045 RSI: 0000000055976744 RDI: 0000000000000228
RBP: ffff88001377fb60 R08: ffffffff84836bc8 R09: 0000000000000002
R10: ffff88001377fab8 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88001636aac8 R14: ffff8800160f81c0 R15: 1ffff100026eff76
FS: 00007ffb3ea66700(0000) GS:ffff88001a400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020e77000 CR3: 0000000016261000 CR4: 00000000000006f0
Call Trace:
pppol2tp_connect+0xd18/0x13c0
? pppol2tp_session_create+0x170/0x170
? __might_fault+0x115/0x1d0
? lock_downgrade+0x860/0x860
? __might_fault+0xe5/0x1d0
? security_socket_connect+0x8e/0xc0
SYSC_connect+0x1b6/0x310
? SYSC_bind+0x280/0x280
? __do_page_fault+0x5d1/0xca0
? up_read+0x1f/0x40
? __do_page_fault+0x3c8/0xca0
SyS_connect+0x29/0x30
? SyS_accept+0x40/0x40
do_syscall_64+0x1e0/0x730
? trace_hardirqs_off_thunk+0x1a/0x1c
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7ffb3e376259
RSP: 002b:00007ffeda4f6508 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020e77012 RCX: 00007ffb3e376259
RDX: 000000000000002e RSI: 0000000020e77000 RDI: 0000000000000004
RBP: 00007ffeda4f6540 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60
R13: 00007ffeda4f6660 R14: 0000000000000000 R15: 0000000000000000
Code: 80 3d b0 ff 06 02 00 0f 84 07 02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f
a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16
Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace close")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-02-24 01:45:45 +08:00
|
|
|
/* drop initial ref */
|
|
|
|
l2tp_tunnel_dec_refcount(tunnel);
|
|
|
|
|
|
|
|
/* drop workqueue ref */
|
2015-09-28 17:32:42 +08:00
|
|
|
l2tp_tunnel_dec_refcount(tunnel);
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
|
|
|
|
2010-04-02 14:19:40 +08:00
|
|
|
/* Create a socket for the tunnel, if one isn't set up by
|
|
|
|
* userspace. This is used for static tunnels where there is no
|
|
|
|
* managing L2TP daemon.
|
2013-02-01 07:43:03 +08:00
|
|
|
*
|
|
|
|
* Since we don't want these sockets to keep a namespace alive by
|
|
|
|
* themselves, we drop the socket's namespace refcount after creation.
|
|
|
|
* These sockets are freed when the namespace exits using the pernet
|
|
|
|
* exit hook.
|
2010-04-02 14:19:40 +08:00
|
|
|
*/
|
2013-02-01 07:43:03 +08:00
|
|
|
static int l2tp_tunnel_sock_create(struct net *net,
|
2020-07-23 00:32:08 +08:00
|
|
|
u32 tunnel_id,
|
|
|
|
u32 peer_tunnel_id,
|
|
|
|
struct l2tp_tunnel_cfg *cfg,
|
|
|
|
struct socket **sockp)
|
2010-04-02 14:19:40 +08:00
|
|
|
{
|
|
|
|
int err = -EINVAL;
|
2013-02-01 07:43:03 +08:00
|
|
|
struct socket *sock = NULL;
|
2014-07-14 10:49:48 +08:00
|
|
|
struct udp_port_cfg udp_conf;
|
2010-04-02 14:19:40 +08:00
|
|
|
|
|
|
|
switch (cfg->encap) {
|
|
|
|
case L2TP_ENCAPTYPE_UDP:
|
2014-07-14 10:49:48 +08:00
|
|
|
memset(&udp_conf, 0, sizeof(udp_conf));
|
|
|
|
|
2012-04-30 05:48:52 +08:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
if (cfg->local_ip6 && cfg->peer_ip6) {
|
2014-07-14 10:49:48 +08:00
|
|
|
udp_conf.family = AF_INET6;
|
|
|
|
memcpy(&udp_conf.local_ip6, cfg->local_ip6,
|
|
|
|
sizeof(udp_conf.local_ip6));
|
|
|
|
memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
|
|
|
|
sizeof(udp_conf.peer_ip6));
|
|
|
|
udp_conf.use_udp6_tx_checksums =
|
2020-07-23 00:32:05 +08:00
|
|
|
!cfg->udp6_zero_tx_checksums;
|
2014-07-14 10:49:48 +08:00
|
|
|
udp_conf.use_udp6_rx_checksums =
|
2020-07-23 00:32:05 +08:00
|
|
|
!cfg->udp6_zero_rx_checksums;
|
2012-04-30 05:48:52 +08:00
|
|
|
} else
|
|
|
|
#endif
|
|
|
|
{
|
2014-07-14 10:49:48 +08:00
|
|
|
udp_conf.family = AF_INET;
|
|
|
|
udp_conf.local_ip = cfg->local_ip;
|
|
|
|
udp_conf.peer_ip = cfg->peer_ip;
|
|
|
|
udp_conf.use_udp_checksums = cfg->use_udp_checksums;
|
2012-04-30 05:48:52 +08:00
|
|
|
}
|
2010-04-02 14:19:40 +08:00
|
|
|
|
2014-07-14 10:49:48 +08:00
|
|
|
udp_conf.local_udp_port = htons(cfg->local_udp_port);
|
|
|
|
udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
|
|
|
|
|
|
|
|
err = udp_sock_create(net, &udp_conf, &sock);
|
|
|
|
if (err < 0)
|
|
|
|
goto out;
|
2010-04-02 14:19:40 +08:00
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
case L2TP_ENCAPTYPE_IP:
|
2012-04-30 05:48:52 +08:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
if (cfg->local_ip6 && cfg->peer_ip6) {
|
2014-07-14 10:49:48 +08:00
|
|
|
struct sockaddr_l2tpip6 ip6_addr = {0};
|
|
|
|
|
2015-05-09 10:10:31 +08:00
|
|
|
err = sock_create_kern(net, AF_INET6, SOCK_DGRAM,
|
2020-07-23 00:32:08 +08:00
|
|
|
IPPROTO_L2TP, &sock);
|
2012-04-30 05:48:55 +08:00
|
|
|
if (err < 0)
|
|
|
|
goto out;
|
2010-04-02 14:19:40 +08:00
|
|
|
|
2012-04-30 05:48:55 +08:00
|
|
|
ip6_addr.l2tp_family = AF_INET6;
|
|
|
|
memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
|
|
|
|
sizeof(ip6_addr.l2tp_addr));
|
|
|
|
ip6_addr.l2tp_conn_id = tunnel_id;
|
2020-07-23 00:32:05 +08:00
|
|
|
err = kernel_bind(sock, (struct sockaddr *)&ip6_addr,
|
2012-04-30 05:48:55 +08:00
|
|
|
sizeof(ip6_addr));
|
|
|
|
if (err < 0)
|
|
|
|
goto out;
|
2010-04-02 14:19:40 +08:00
|
|
|
|
2012-04-30 05:48:55 +08:00
|
|
|
ip6_addr.l2tp_family = AF_INET6;
|
|
|
|
memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
|
|
|
|
sizeof(ip6_addr.l2tp_addr));
|
|
|
|
ip6_addr.l2tp_conn_id = peer_tunnel_id;
|
|
|
|
err = kernel_connect(sock,
|
2020-07-23 00:32:05 +08:00
|
|
|
(struct sockaddr *)&ip6_addr,
|
2012-04-30 05:48:55 +08:00
|
|
|
sizeof(ip6_addr), 0);
|
|
|
|
if (err < 0)
|
|
|
|
goto out;
|
|
|
|
} else
|
|
|
|
#endif
|
|
|
|
{
|
2014-07-14 10:49:48 +08:00
|
|
|
struct sockaddr_l2tpip ip_addr = {0};
|
|
|
|
|
2015-05-09 10:10:31 +08:00
|
|
|
err = sock_create_kern(net, AF_INET, SOCK_DGRAM,
|
2020-07-23 00:32:08 +08:00
|
|
|
IPPROTO_L2TP, &sock);
|
2012-04-30 05:48:55 +08:00
|
|
|
if (err < 0)
|
|
|
|
goto out;
|
2010-04-02 14:19:40 +08:00
|
|
|
|
2012-04-30 05:48:55 +08:00
|
|
|
ip_addr.l2tp_family = AF_INET;
|
|
|
|
ip_addr.l2tp_addr = cfg->local_ip;
|
|
|
|
ip_addr.l2tp_conn_id = tunnel_id;
|
2020-07-23 00:32:05 +08:00
|
|
|
err = kernel_bind(sock, (struct sockaddr *)&ip_addr,
|
2012-04-30 05:48:55 +08:00
|
|
|
sizeof(ip_addr));
|
|
|
|
if (err < 0)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
ip_addr.l2tp_family = AF_INET;
|
|
|
|
ip_addr.l2tp_addr = cfg->peer_ip;
|
|
|
|
ip_addr.l2tp_conn_id = peer_tunnel_id;
|
2020-07-23 00:32:05 +08:00
|
|
|
err = kernel_connect(sock, (struct sockaddr *)&ip_addr,
|
2012-04-30 05:48:55 +08:00
|
|
|
sizeof(ip_addr), 0);
|
|
|
|
if (err < 0)
|
|
|
|
goto out;
|
|
|
|
}
|
2010-04-02 14:19:40 +08:00
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
out:
|
2013-02-01 07:43:03 +08:00
|
|
|
*sockp = sock;
|
2020-07-23 19:29:51 +08:00
|
|
|
if (err < 0 && sock) {
|
2013-02-01 07:43:03 +08:00
|
|
|
kernel_sock_shutdown(sock, SHUT_RDWR);
|
2015-05-09 10:10:31 +08:00
|
|
|
sock_release(sock);
|
2010-04-02 14:19:40 +08:00
|
|
|
*sockp = NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
l2tp: fix a lockdep splat
Fixes following lockdep splat :
[ 1614.734896] =============================================
[ 1614.734898] [ INFO: possible recursive locking detected ]
[ 1614.734901] 3.6.0-rc3+ #782 Not tainted
[ 1614.734903] ---------------------------------------------
[ 1614.734905] swapper/11/0 is trying to acquire lock:
[ 1614.734907] (slock-AF_INET){+.-...}, at: [<ffffffffa0209d72>] l2tp_xmit_skb+0x172/0xa50 [l2tp_core]
[ 1614.734920]
[ 1614.734920] but task is already holding lock:
[ 1614.734922] (slock-AF_INET){+.-...}, at: [<ffffffff815fce23>] tcp_v4_err+0x163/0x6b0
[ 1614.734932]
[ 1614.734932] other info that might help us debug this:
[ 1614.734935] Possible unsafe locking scenario:
[ 1614.734935]
[ 1614.734937] CPU0
[ 1614.734938] ----
[ 1614.734940] lock(slock-AF_INET);
[ 1614.734943] lock(slock-AF_INET);
[ 1614.734946]
[ 1614.734946] *** DEADLOCK ***
[ 1614.734946]
[ 1614.734949] May be due to missing lock nesting notation
[ 1614.734949]
[ 1614.734952] 7 locks held by swapper/11/0:
[ 1614.734954] #0: (rcu_read_lock){.+.+..}, at: [<ffffffff81592801>] __netif_receive_skb+0x251/0xd00
[ 1614.734964] #1: (rcu_read_lock){.+.+..}, at: [<ffffffff815d319c>] ip_local_deliver_finish+0x4c/0x4e0
[ 1614.734972] #2: (rcu_read_lock){.+.+..}, at: [<ffffffff8160d116>] icmp_socket_deliver+0x46/0x230
[ 1614.734982] #3: (slock-AF_INET){+.-...}, at: [<ffffffff815fce23>] tcp_v4_err+0x163/0x6b0
[ 1614.734989] #4: (rcu_read_lock){.+.+..}, at: [<ffffffff815da240>] ip_queue_xmit+0x0/0x680
[ 1614.734997] #5: (rcu_read_lock_bh){.+....}, at: [<ffffffff815d9925>] ip_finish_output+0x135/0x890
[ 1614.735004] #6: (rcu_read_lock_bh){.+....}, at: [<ffffffff81595680>] dev_queue_xmit+0x0/0xe00
[ 1614.735012]
[ 1614.735012] stack backtrace:
[ 1614.735016] Pid: 0, comm: swapper/11 Not tainted 3.6.0-rc3+ #782
[ 1614.735018] Call Trace:
[ 1614.735020] <IRQ> [<ffffffff810a50ac>] __lock_acquire+0x144c/0x1b10
[ 1614.735033] [<ffffffff810a334b>] ? check_usage+0x9b/0x4d0
[ 1614.735037] [<ffffffff810a6762>] ? mark_held_locks+0x82/0x130
[ 1614.735042] [<ffffffff810a5df0>] lock_acquire+0x90/0x200
[ 1614.735047] [<ffffffffa0209d72>] ? l2tp_xmit_skb+0x172/0xa50 [l2tp_core]
[ 1614.735051] [<ffffffff810a69ad>] ? trace_hardirqs_on+0xd/0x10
[ 1614.735060] [<ffffffff81749b31>] _raw_spin_lock+0x41/0x50
[ 1614.735065] [<ffffffffa0209d72>] ? l2tp_xmit_skb+0x172/0xa50 [l2tp_core]
[ 1614.735069] [<ffffffffa0209d72>] l2tp_xmit_skb+0x172/0xa50 [l2tp_core]
[ 1614.735075] [<ffffffffa014f7f2>] l2tp_eth_dev_xmit+0x32/0x60 [l2tp_eth]
[ 1614.735079] [<ffffffff81595112>] dev_hard_start_xmit+0x502/0xa70
[ 1614.735083] [<ffffffff81594c6e>] ? dev_hard_start_xmit+0x5e/0xa70
[ 1614.735087] [<ffffffff815957c1>] ? dev_queue_xmit+0x141/0xe00
[ 1614.735093] [<ffffffff815b622e>] sch_direct_xmit+0xfe/0x290
[ 1614.735098] [<ffffffff81595865>] dev_queue_xmit+0x1e5/0xe00
[ 1614.735102] [<ffffffff81595680>] ? dev_hard_start_xmit+0xa70/0xa70
[ 1614.735106] [<ffffffff815b4daa>] ? eth_header+0x3a/0xf0
[ 1614.735111] [<ffffffff8161d33e>] ? fib_get_table+0x2e/0x280
[ 1614.735117] [<ffffffff8160a7e2>] arp_xmit+0x22/0x60
[ 1614.735121] [<ffffffff8160a863>] arp_send+0x43/0x50
[ 1614.735125] [<ffffffff8160b82f>] arp_solicit+0x18f/0x450
[ 1614.735132] [<ffffffff8159d9da>] neigh_probe+0x4a/0x70
[ 1614.735137] [<ffffffff815a191a>] __neigh_event_send+0xea/0x300
[ 1614.735141] [<ffffffff815a1c93>] neigh_resolve_output+0x163/0x260
[ 1614.735146] [<ffffffff815d9cf5>] ip_finish_output+0x505/0x890
[ 1614.735150] [<ffffffff815d9925>] ? ip_finish_output+0x135/0x890
[ 1614.735154] [<ffffffff815dae79>] ip_output+0x59/0xf0
[ 1614.735158] [<ffffffff815da1cd>] ip_local_out+0x2d/0xa0
[ 1614.735162] [<ffffffff815da403>] ip_queue_xmit+0x1c3/0x680
[ 1614.735165] [<ffffffff815da240>] ? ip_local_out+0xa0/0xa0
[ 1614.735172] [<ffffffff815f4402>] tcp_transmit_skb+0x402/0xa60
[ 1614.735177] [<ffffffff815f5a11>] tcp_retransmit_skb+0x1a1/0x620
[ 1614.735181] [<ffffffff815f7e93>] tcp_retransmit_timer+0x393/0x960
[ 1614.735185] [<ffffffff815fce23>] ? tcp_v4_err+0x163/0x6b0
[ 1614.735189] [<ffffffff815fd317>] tcp_v4_err+0x657/0x6b0
[ 1614.735194] [<ffffffff8160d116>] ? icmp_socket_deliver+0x46/0x230
[ 1614.735199] [<ffffffff8160d19e>] icmp_socket_deliver+0xce/0x230
[ 1614.735203] [<ffffffff8160d116>] ? icmp_socket_deliver+0x46/0x230
[ 1614.735208] [<ffffffff8160d464>] icmp_unreach+0xe4/0x2c0
[ 1614.735213] [<ffffffff8160e520>] icmp_rcv+0x350/0x4a0
[ 1614.735217] [<ffffffff815d3285>] ip_local_deliver_finish+0x135/0x4e0
[ 1614.735221] [<ffffffff815d319c>] ? ip_local_deliver_finish+0x4c/0x4e0
[ 1614.735225] [<ffffffff815d3ffa>] ip_local_deliver+0x4a/0x90
[ 1614.735229] [<ffffffff815d37b7>] ip_rcv_finish+0x187/0x730
[ 1614.735233] [<ffffffff815d425d>] ip_rcv+0x21d/0x300
[ 1614.735237] [<ffffffff81592a1b>] __netif_receive_skb+0x46b/0xd00
[ 1614.735241] [<ffffffff81592801>] ? __netif_receive_skb+0x251/0xd00
[ 1614.735245] [<ffffffff81593368>] process_backlog+0xb8/0x180
[ 1614.735249] [<ffffffff81593cf9>] net_rx_action+0x159/0x330
[ 1614.735257] [<ffffffff810491f0>] __do_softirq+0xd0/0x3e0
[ 1614.735264] [<ffffffff8109ed24>] ? tick_program_event+0x24/0x30
[ 1614.735270] [<ffffffff8175419c>] call_softirq+0x1c/0x30
[ 1614.735278] [<ffffffff8100425d>] do_softirq+0x8d/0xc0
[ 1614.735282] [<ffffffff8104983e>] irq_exit+0xae/0xe0
[ 1614.735287] [<ffffffff8175494e>] smp_apic_timer_interrupt+0x6e/0x99
[ 1614.735291] [<ffffffff81753a1c>] apic_timer_interrupt+0x6c/0x80
[ 1614.735293] <EOI> [<ffffffff810a14ad>] ? trace_hardirqs_off+0xd/0x10
[ 1614.735306] [<ffffffff81336f85>] ? intel_idle+0xf5/0x150
[ 1614.735310] [<ffffffff81336f7e>] ? intel_idle+0xee/0x150
[ 1614.735317] [<ffffffff814e6ea9>] cpuidle_enter+0x19/0x20
[ 1614.735321] [<ffffffff814e7538>] cpuidle_idle_call+0xa8/0x630
[ 1614.735327] [<ffffffff8100c1ba>] cpu_idle+0x8a/0xe0
[ 1614.735333] [<ffffffff8173762e>] start_secondary+0x220/0x222
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-04 15:18:57 +08:00
|
|
|
static struct lock_class_key l2tp_socket_class;
|
|
|
|
|
2020-09-03 16:54:49 +08:00
|
|
|
int l2tp_tunnel_create(int fd, int version, u32 tunnel_id, u32 peer_tunnel_id,
|
2020-07-23 00:32:13 +08:00
|
|
|
struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
|
2010-04-02 14:18:33 +08:00
|
|
|
{
|
|
|
|
struct l2tp_tunnel *tunnel = NULL;
|
|
|
|
int err;
|
2010-04-02 14:19:00 +08:00
|
|
|
enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2020-07-23 19:29:50 +08:00
|
|
|
if (cfg)
|
2010-04-02 14:19:00 +08:00
|
|
|
encap = cfg->encap;
|
|
|
|
|
2020-07-23 19:29:55 +08:00
|
|
|
tunnel = kzalloc(sizeof(*tunnel), GFP_KERNEL);
|
2020-07-23 19:29:50 +08:00
|
|
|
if (!tunnel) {
|
2010-04-02 14:18:33 +08:00
|
|
|
err = -ENOMEM;
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
tunnel->version = version;
|
|
|
|
tunnel->tunnel_id = tunnel_id;
|
|
|
|
tunnel->peer_tunnel_id = peer_tunnel_id;
|
|
|
|
|
|
|
|
tunnel->magic = L2TP_TUNNEL_MAGIC;
|
|
|
|
sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
|
|
|
|
rwlock_init(&tunnel->hlist_lock);
|
2017-09-01 23:58:48 +08:00
|
|
|
tunnel->acpt_newsess = true;
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2010-04-02 14:19:00 +08:00
|
|
|
tunnel->encap = encap;
|
2010-04-02 14:18:33 +08:00
|
|
|
|
l2tp: fix races with tunnel socket close
The tunnel socket tunnel->sock (struct sock) is accessed when
preparing a new ppp session on a tunnel at pppol2tp_session_init. If
the socket is closed by a thread while another is creating a new
session, the threads race. In pppol2tp_connect, the tunnel object may
be created if the pppol2tp socket is associated with the special
session_id 0 and the tunnel socket is looked up using the provided
fd. When handling this, pppol2tp_connect cannot sock_hold the tunnel
socket to prevent it being destroyed during pppol2tp_connect since
this may itself may race with the socket being destroyed. Doing
sockfd_lookup in pppol2tp_connect isn't sufficient to prevent
tunnel->sock going away either because a given tunnel socket fd may be
reused between calls to pppol2tp_connect. Instead, have
l2tp_tunnel_create sock_hold the tunnel socket before it does
sockfd_put. This ensures that the tunnel's socket is always extant
while the tunnel object exists. Hold a ref on the socket until the
tunnel is destroyed and ensure that all tunnel destroy paths go
through a common function (l2tp_tunnel_delete) since this will do the
final sock_put to release the tunnel socket.
Since the tunnel's socket is now guaranteed to exist if the tunnel
exists, we no longer need to use sockfd_lookup via l2tp_sock_to_tunnel
to derive the tunnel from the socket since this is always
sk_user_data.
Also, sessions no longer sock_hold the tunnel socket since sessions
already hold a tunnel ref and the tunnel sock will not be freed until
the tunnel is freed. Removing these sock_holds in
l2tp_session_register avoids a possible sock leak in the
pppol2tp_connect error path if l2tp_session_register succeeds but
attaching a ppp channel fails. The pppol2tp_connect error path could
have been fixed instead and have the sock ref dropped when the session
is freed, but doing a sock_put of the tunnel socket when the session
is freed would require a new session_free callback. It is simpler to
just remove the sock_hold of the tunnel socket in
l2tp_session_register, now that the tunnel socket lifetime is
guaranteed.
Finally, some init code in l2tp_tunnel_create is reordered to ensure
that the new tunnel object's refcount is set and the tunnel socket ref
is taken before the tunnel socket destructor callbacks are set.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 4360 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #34
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
RIP: 0010:pppol2tp_session_init+0x1d6/0x500
RSP: 0018:ffff88001377fb40 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88001636a940 RCX: ffffffff84836c1d
RDX: 0000000000000045 RSI: 0000000055976744 RDI: 0000000000000228
RBP: ffff88001377fb60 R08: ffffffff84836bc8 R09: 0000000000000002
R10: ffff88001377fab8 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88001636aac8 R14: ffff8800160f81c0 R15: 1ffff100026eff76
FS: 00007ffb3ea66700(0000) GS:ffff88001a400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020e77000 CR3: 0000000016261000 CR4: 00000000000006f0
Call Trace:
pppol2tp_connect+0xd18/0x13c0
? pppol2tp_session_create+0x170/0x170
? __might_fault+0x115/0x1d0
? lock_downgrade+0x860/0x860
? __might_fault+0xe5/0x1d0
? security_socket_connect+0x8e/0xc0
SYSC_connect+0x1b6/0x310
? SYSC_bind+0x280/0x280
? __do_page_fault+0x5d1/0xca0
? up_read+0x1f/0x40
? __do_page_fault+0x3c8/0xca0
SyS_connect+0x29/0x30
? SyS_accept+0x40/0x40
do_syscall_64+0x1e0/0x730
? trace_hardirqs_off_thunk+0x1a/0x1c
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7ffb3e376259
RSP: 002b:00007ffeda4f6508 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020e77012 RCX: 00007ffb3e376259
RDX: 000000000000002e RSI: 0000000020e77000 RDI: 0000000000000004
RBP: 00007ffeda4f6540 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60
R13: 00007ffeda4f6660 R14: 0000000000000000 R15: 0000000000000000
Code: 80 3d b0 ff 06 02 00 0f 84 07 02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f
a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16
Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace close")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-02-24 01:45:45 +08:00
|
|
|
refcount_set(&tunnel->ref_count, 1);
|
|
|
|
tunnel->fd = fd;
|
|
|
|
|
2013-02-01 07:43:00 +08:00
|
|
|
/* Init delete workqueue struct */
|
|
|
|
INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
|
|
|
|
|
2010-04-02 14:18:33 +08:00
|
|
|
INIT_LIST_HEAD(&tunnel->list);
|
|
|
|
|
|
|
|
err = 0;
|
|
|
|
err:
|
|
|
|
if (tunnelp)
|
|
|
|
*tunnelp = tunnel;
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
|
|
|
|
|
l2tp: fix races in tunnel creation
l2tp_tunnel_create() inserts the new tunnel into the namespace's tunnel
list and sets the socket's ->sk_user_data field, before returning it to
the caller. Therefore, there are two ways the tunnel can be accessed
and freed, before the caller even had the opportunity to take a
reference. In practice, syzbot could crash the module by closing the
socket right after a new tunnel was returned to pppol2tp_create().
This patch moves tunnel registration out of l2tp_tunnel_create(), so
that the caller can safely hold a reference before publishing the
tunnel. This second step is done with the new l2tp_tunnel_register()
function, which is now responsible for associating the tunnel to its
socket and for inserting it into the namespace's list.
While moving the code to l2tp_tunnel_register(), a few modifications
have been done. First, the socket validation tests are done in a helper
function, for clarity. Also, modifying the socket is now done after
having inserted the tunnel to the namespace's tunnels list. This will
allow insertion to fail, without having to revert theses modifications
in the error path (a followup patch will check for duplicate tunnels
before insertion). Either the socket is a kernel socket which we
control, or it is a user-space socket for which we have a reference on
the file descriptor. In any case, the socket isn't going to be closed
from under us.
Reported-by: syzbot+fbeeb5c3b538e8545644@syzkaller.appspotmail.com
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-11 03:01:12 +08:00
|
|
|
static int l2tp_validate_socket(const struct sock *sk, const struct net *net,
|
|
|
|
enum l2tp_encap_type encap)
|
|
|
|
{
|
|
|
|
if (!net_eq(sock_net(sk), net))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (sk->sk_type != SOCK_DGRAM)
|
|
|
|
return -EPROTONOSUPPORT;
|
|
|
|
|
2020-05-30 02:32:25 +08:00
|
|
|
if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
|
|
|
|
return -EPROTONOSUPPORT;
|
|
|
|
|
l2tp: fix races in tunnel creation
l2tp_tunnel_create() inserts the new tunnel into the namespace's tunnel
list and sets the socket's ->sk_user_data field, before returning it to
the caller. Therefore, there are two ways the tunnel can be accessed
and freed, before the caller even had the opportunity to take a
reference. In practice, syzbot could crash the module by closing the
socket right after a new tunnel was returned to pppol2tp_create().
This patch moves tunnel registration out of l2tp_tunnel_create(), so
that the caller can safely hold a reference before publishing the
tunnel. This second step is done with the new l2tp_tunnel_register()
function, which is now responsible for associating the tunnel to its
socket and for inserting it into the namespace's list.
While moving the code to l2tp_tunnel_register(), a few modifications
have been done. First, the socket validation tests are done in a helper
function, for clarity. Also, modifying the socket is now done after
having inserted the tunnel to the namespace's tunnels list. This will
allow insertion to fail, without having to revert theses modifications
in the error path (a followup patch will check for duplicate tunnels
before insertion). Either the socket is a kernel socket which we
control, or it is a user-space socket for which we have a reference on
the file descriptor. In any case, the socket isn't going to be closed
from under us.
Reported-by: syzbot+fbeeb5c3b538e8545644@syzkaller.appspotmail.com
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-11 03:01:12 +08:00
|
|
|
if ((encap == L2TP_ENCAPTYPE_UDP && sk->sk_protocol != IPPROTO_UDP) ||
|
|
|
|
(encap == L2TP_ENCAPTYPE_IP && sk->sk_protocol != IPPROTO_L2TP))
|
|
|
|
return -EPROTONOSUPPORT;
|
|
|
|
|
|
|
|
if (sk->sk_user_data)
|
|
|
|
return -EBUSY;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
|
|
|
|
struct l2tp_tunnel_cfg *cfg)
|
|
|
|
{
|
2018-04-11 03:01:13 +08:00
|
|
|
struct l2tp_tunnel *tunnel_walk;
|
l2tp: fix races in tunnel creation
l2tp_tunnel_create() inserts the new tunnel into the namespace's tunnel
list and sets the socket's ->sk_user_data field, before returning it to
the caller. Therefore, there are two ways the tunnel can be accessed
and freed, before the caller even had the opportunity to take a
reference. In practice, syzbot could crash the module by closing the
socket right after a new tunnel was returned to pppol2tp_create().
This patch moves tunnel registration out of l2tp_tunnel_create(), so
that the caller can safely hold a reference before publishing the
tunnel. This second step is done with the new l2tp_tunnel_register()
function, which is now responsible for associating the tunnel to its
socket and for inserting it into the namespace's list.
While moving the code to l2tp_tunnel_register(), a few modifications
have been done. First, the socket validation tests are done in a helper
function, for clarity. Also, modifying the socket is now done after
having inserted the tunnel to the namespace's tunnels list. This will
allow insertion to fail, without having to revert theses modifications
in the error path (a followup patch will check for duplicate tunnels
before insertion). Either the socket is a kernel socket which we
control, or it is a user-space socket for which we have a reference on
the file descriptor. In any case, the socket isn't going to be closed
from under us.
Reported-by: syzbot+fbeeb5c3b538e8545644@syzkaller.appspotmail.com
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-11 03:01:12 +08:00
|
|
|
struct l2tp_net *pn;
|
|
|
|
struct socket *sock;
|
|
|
|
struct sock *sk;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (tunnel->fd < 0) {
|
|
|
|
ret = l2tp_tunnel_sock_create(net, tunnel->tunnel_id,
|
|
|
|
tunnel->peer_tunnel_id, cfg,
|
|
|
|
&sock);
|
|
|
|
if (ret < 0)
|
|
|
|
goto err;
|
|
|
|
} else {
|
|
|
|
sock = sockfd_lookup(tunnel->fd, &ret);
|
|
|
|
if (!sock)
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
ret = l2tp_validate_socket(sock->sk, net, tunnel->encap);
|
|
|
|
if (ret < 0)
|
|
|
|
goto err_sock;
|
|
|
|
}
|
|
|
|
|
|
|
|
tunnel->l2tp_net = net;
|
|
|
|
pn = l2tp_pernet(net);
|
2018-04-11 03:01:13 +08:00
|
|
|
|
l2tp: fix races in tunnel creation
l2tp_tunnel_create() inserts the new tunnel into the namespace's tunnel
list and sets the socket's ->sk_user_data field, before returning it to
the caller. Therefore, there are two ways the tunnel can be accessed
and freed, before the caller even had the opportunity to take a
reference. In practice, syzbot could crash the module by closing the
socket right after a new tunnel was returned to pppol2tp_create().
This patch moves tunnel registration out of l2tp_tunnel_create(), so
that the caller can safely hold a reference before publishing the
tunnel. This second step is done with the new l2tp_tunnel_register()
function, which is now responsible for associating the tunnel to its
socket and for inserting it into the namespace's list.
While moving the code to l2tp_tunnel_register(), a few modifications
have been done. First, the socket validation tests are done in a helper
function, for clarity. Also, modifying the socket is now done after
having inserted the tunnel to the namespace's tunnels list. This will
allow insertion to fail, without having to revert theses modifications
in the error path (a followup patch will check for duplicate tunnels
before insertion). Either the socket is a kernel socket which we
control, or it is a user-space socket for which we have a reference on
the file descriptor. In any case, the socket isn't going to be closed
from under us.
Reported-by: syzbot+fbeeb5c3b538e8545644@syzkaller.appspotmail.com
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-11 03:01:12 +08:00
|
|
|
spin_lock_bh(&pn->l2tp_tunnel_list_lock);
|
2018-04-11 03:01:13 +08:00
|
|
|
list_for_each_entry(tunnel_walk, &pn->l2tp_tunnel_list, list) {
|
|
|
|
if (tunnel_walk->tunnel_id == tunnel->tunnel_id) {
|
|
|
|
spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
|
|
|
|
|
|
|
|
ret = -EEXIST;
|
|
|
|
goto err_sock;
|
|
|
|
}
|
|
|
|
}
|
l2tp: fix races in tunnel creation
l2tp_tunnel_create() inserts the new tunnel into the namespace's tunnel
list and sets the socket's ->sk_user_data field, before returning it to
the caller. Therefore, there are two ways the tunnel can be accessed
and freed, before the caller even had the opportunity to take a
reference. In practice, syzbot could crash the module by closing the
socket right after a new tunnel was returned to pppol2tp_create().
This patch moves tunnel registration out of l2tp_tunnel_create(), so
that the caller can safely hold a reference before publishing the
tunnel. This second step is done with the new l2tp_tunnel_register()
function, which is now responsible for associating the tunnel to its
socket and for inserting it into the namespace's list.
While moving the code to l2tp_tunnel_register(), a few modifications
have been done. First, the socket validation tests are done in a helper
function, for clarity. Also, modifying the socket is now done after
having inserted the tunnel to the namespace's tunnels list. This will
allow insertion to fail, without having to revert theses modifications
in the error path (a followup patch will check for duplicate tunnels
before insertion). Either the socket is a kernel socket which we
control, or it is a user-space socket for which we have a reference on
the file descriptor. In any case, the socket isn't going to be closed
from under us.
Reported-by: syzbot+fbeeb5c3b538e8545644@syzkaller.appspotmail.com
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-11 03:01:12 +08:00
|
|
|
list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
|
|
|
|
spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
|
|
|
|
|
2018-11-13 01:08:25 +08:00
|
|
|
sk = sock->sk;
|
|
|
|
sock_hold(sk);
|
|
|
|
tunnel->sock = sk;
|
|
|
|
|
l2tp: fix races in tunnel creation
l2tp_tunnel_create() inserts the new tunnel into the namespace's tunnel
list and sets the socket's ->sk_user_data field, before returning it to
the caller. Therefore, there are two ways the tunnel can be accessed
and freed, before the caller even had the opportunity to take a
reference. In practice, syzbot could crash the module by closing the
socket right after a new tunnel was returned to pppol2tp_create().
This patch moves tunnel registration out of l2tp_tunnel_create(), so
that the caller can safely hold a reference before publishing the
tunnel. This second step is done with the new l2tp_tunnel_register()
function, which is now responsible for associating the tunnel to its
socket and for inserting it into the namespace's list.
While moving the code to l2tp_tunnel_register(), a few modifications
have been done. First, the socket validation tests are done in a helper
function, for clarity. Also, modifying the socket is now done after
having inserted the tunnel to the namespace's tunnels list. This will
allow insertion to fail, without having to revert theses modifications
in the error path (a followup patch will check for duplicate tunnels
before insertion). Either the socket is a kernel socket which we
control, or it is a user-space socket for which we have a reference on
the file descriptor. In any case, the socket isn't going to be closed
from under us.
Reported-by: syzbot+fbeeb5c3b538e8545644@syzkaller.appspotmail.com
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-11 03:01:12 +08:00
|
|
|
if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
|
|
|
|
struct udp_tunnel_sock_cfg udp_cfg = {
|
|
|
|
.sk_user_data = tunnel,
|
|
|
|
.encap_type = UDP_ENCAP_L2TPINUDP,
|
|
|
|
.encap_rcv = l2tp_udp_encap_recv,
|
|
|
|
.encap_destroy = l2tp_udp_encap_destroy,
|
|
|
|
};
|
|
|
|
|
|
|
|
setup_udp_tunnel_sock(net, sock, &udp_cfg);
|
|
|
|
} else {
|
|
|
|
sk->sk_user_data = tunnel;
|
|
|
|
}
|
|
|
|
|
|
|
|
tunnel->old_sk_destruct = sk->sk_destruct;
|
|
|
|
sk->sk_destruct = &l2tp_tunnel_destruct;
|
|
|
|
lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class,
|
|
|
|
"l2tp_sock");
|
|
|
|
sk->sk_allocation = GFP_ATOMIC;
|
|
|
|
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_register_tunnel(tunnel);
|
|
|
|
|
l2tp: fix races in tunnel creation
l2tp_tunnel_create() inserts the new tunnel into the namespace's tunnel
list and sets the socket's ->sk_user_data field, before returning it to
the caller. Therefore, there are two ways the tunnel can be accessed
and freed, before the caller even had the opportunity to take a
reference. In practice, syzbot could crash the module by closing the
socket right after a new tunnel was returned to pppol2tp_create().
This patch moves tunnel registration out of l2tp_tunnel_create(), so
that the caller can safely hold a reference before publishing the
tunnel. This second step is done with the new l2tp_tunnel_register()
function, which is now responsible for associating the tunnel to its
socket and for inserting it into the namespace's list.
While moving the code to l2tp_tunnel_register(), a few modifications
have been done. First, the socket validation tests are done in a helper
function, for clarity. Also, modifying the socket is now done after
having inserted the tunnel to the namespace's tunnels list. This will
allow insertion to fail, without having to revert theses modifications
in the error path (a followup patch will check for duplicate tunnels
before insertion). Either the socket is a kernel socket which we
control, or it is a user-space socket for which we have a reference on
the file descriptor. In any case, the socket isn't going to be closed
from under us.
Reported-by: syzbot+fbeeb5c3b538e8545644@syzkaller.appspotmail.com
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-11 03:01:12 +08:00
|
|
|
if (tunnel->fd >= 0)
|
|
|
|
sockfd_put(sock);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
err_sock:
|
2018-04-11 03:01:13 +08:00
|
|
|
if (tunnel->fd < 0)
|
|
|
|
sock_release(sock);
|
|
|
|
else
|
|
|
|
sockfd_put(sock);
|
l2tp: fix races in tunnel creation
l2tp_tunnel_create() inserts the new tunnel into the namespace's tunnel
list and sets the socket's ->sk_user_data field, before returning it to
the caller. Therefore, there are two ways the tunnel can be accessed
and freed, before the caller even had the opportunity to take a
reference. In practice, syzbot could crash the module by closing the
socket right after a new tunnel was returned to pppol2tp_create().
This patch moves tunnel registration out of l2tp_tunnel_create(), so
that the caller can safely hold a reference before publishing the
tunnel. This second step is done with the new l2tp_tunnel_register()
function, which is now responsible for associating the tunnel to its
socket and for inserting it into the namespace's list.
While moving the code to l2tp_tunnel_register(), a few modifications
have been done. First, the socket validation tests are done in a helper
function, for clarity. Also, modifying the socket is now done after
having inserted the tunnel to the namespace's tunnels list. This will
allow insertion to fail, without having to revert theses modifications
in the error path (a followup patch will check for duplicate tunnels
before insertion). Either the socket is a kernel socket which we
control, or it is a user-space socket for which we have a reference on
the file descriptor. In any case, the socket isn't going to be closed
from under us.
Reported-by: syzbot+fbeeb5c3b538e8545644@syzkaller.appspotmail.com
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-11 03:01:12 +08:00
|
|
|
err:
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_tunnel_register);
|
|
|
|
|
2010-04-02 14:19:10 +08:00
|
|
|
/* This function is used by the netlink TUNNEL_DELETE command.
|
|
|
|
*/
|
2017-09-26 22:16:43 +08:00
|
|
|
void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
|
2010-04-02 14:19:10 +08:00
|
|
|
{
|
2017-09-26 22:16:43 +08:00
|
|
|
if (!test_and_set_bit(0, &tunnel->dead)) {
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_delete_tunnel(tunnel);
|
2017-09-26 22:16:43 +08:00
|
|
|
l2tp_tunnel_inc_refcount(tunnel);
|
|
|
|
queue_work(l2tp_wq, &tunnel->del_work);
|
2015-09-28 17:32:42 +08:00
|
|
|
}
|
2010-04-02 14:19:10 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
|
|
|
|
|
2020-07-29 01:20:30 +08:00
|
|
|
void l2tp_session_delete(struct l2tp_session *session)
|
2010-04-02 14:19:10 +08:00
|
|
|
{
|
l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall()
There are several ways to remove L2TP sessions:
* deleting a session explicitly using the netlink interface (with
L2TP_CMD_SESSION_DELETE),
* deleting the session's parent tunnel (either by closing the
tunnel's file descriptor or using the netlink interface),
* closing the PPPOL2TP file descriptor of a PPP pseudo-wire.
In some cases, when these methods are used concurrently on the same
session, the session can be removed twice, leading to use-after-free
bugs.
This patch adds a 'dead' flag, used by l2tp_session_delete() and
l2tp_tunnel_closeall() to prevent them from stepping on each other's
toes.
The session deletion path used when closing a PPPOL2TP file descriptor
doesn't need to be adapted. It already has to ensure that a session
remains valid for the lifetime of its PPPOL2TP file descriptor.
So it takes an extra reference on the session in the ->session_close()
callback (pppol2tp_session_close()), which is eventually dropped
in the ->sk_destruct() callback of the PPPOL2TP socket
(pppol2tp_session_destruct()).
Still, __l2tp_session_unhash() and l2tp_session_queue_purge() can be
called twice and even concurrently for a given session, but thanks to
proper locking and re-initialisation of list fields, this is not an
issue.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-09-22 21:39:24 +08:00
|
|
|
if (test_and_set_bit(0, &session->dead))
|
2020-07-29 01:20:30 +08:00
|
|
|
return;
|
l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall()
There are several ways to remove L2TP sessions:
* deleting a session explicitly using the netlink interface (with
L2TP_CMD_SESSION_DELETE),
* deleting the session's parent tunnel (either by closing the
tunnel's file descriptor or using the netlink interface),
* closing the PPPOL2TP file descriptor of a PPP pseudo-wire.
In some cases, when these methods are used concurrently on the same
session, the session can be removed twice, leading to use-after-free
bugs.
This patch adds a 'dead' flag, used by l2tp_session_delete() and
l2tp_tunnel_closeall() to prevent them from stepping on each other's
toes.
The session deletion path used when closing a PPPOL2TP file descriptor
doesn't need to be adapted. It already has to ensure that a session
remains valid for the lifetime of its PPPOL2TP file descriptor.
So it takes an extra reference on the session in the ->session_close()
callback (pppol2tp_session_close()), which is eventually dropped
in the ->sk_destruct() callback of the PPPOL2TP socket
(pppol2tp_session_destruct()).
Still, __l2tp_session_unhash() and l2tp_session_queue_purge() can be
called twice and even concurrently for a given session, but thanks to
proper locking and re-initialisation of list fields, this is not an
issue.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-09-22 21:39:24 +08:00
|
|
|
|
2020-08-22 22:59:06 +08:00
|
|
|
trace_delete_session(session);
|
2020-07-29 01:20:28 +08:00
|
|
|
l2tp_session_unhash(session);
|
2013-03-19 14:11:20 +08:00
|
|
|
l2tp_session_queue_purge(session);
|
2020-07-23 19:29:50 +08:00
|
|
|
if (session->session_close)
|
2010-04-02 14:19:10 +08:00
|
|
|
(*session->session_close)(session);
|
2017-11-01 00:36:42 +08:00
|
|
|
|
2010-04-02 14:19:10 +08:00
|
|
|
l2tp_session_dec_refcount(session);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_session_delete);
|
|
|
|
|
2010-04-02 14:18:49 +08:00
|
|
|
/* We come here whenever a session's send_seq, cookie_len or
|
2018-01-17 06:01:55 +08:00
|
|
|
* l2specific_type parameters are set.
|
2010-04-02 14:18:49 +08:00
|
|
|
*/
|
2014-03-06 18:14:30 +08:00
|
|
|
void l2tp_session_set_header_len(struct l2tp_session *session, int version)
|
2010-04-02 14:18:49 +08:00
|
|
|
{
|
|
|
|
if (version == L2TP_HDR_VER_2) {
|
|
|
|
session->hdr_len = 6;
|
|
|
|
if (session->send_seq)
|
|
|
|
session->hdr_len += 4;
|
|
|
|
} else {
|
2018-01-17 06:01:55 +08:00
|
|
|
session->hdr_len = 4 + session->cookie_len;
|
|
|
|
session->hdr_len += l2tp_get_l2specific_len(session);
|
2010-04-02 14:19:00 +08:00
|
|
|
if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
|
|
|
|
session->hdr_len += 4;
|
2010-04-02 14:18:49 +08:00
|
|
|
}
|
|
|
|
}
|
2014-03-06 18:14:30 +08:00
|
|
|
EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
|
2010-04-02 14:18:49 +08:00
|
|
|
|
2020-07-23 00:32:13 +08:00
|
|
|
struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id,
|
|
|
|
u32 peer_session_id, struct l2tp_session_cfg *cfg)
|
2010-04-02 14:18:33 +08:00
|
|
|
{
|
|
|
|
struct l2tp_session *session;
|
|
|
|
|
2020-07-23 19:29:55 +08:00
|
|
|
session = kzalloc(sizeof(*session) + priv_size, GFP_KERNEL);
|
2020-07-23 19:29:50 +08:00
|
|
|
if (session) {
|
2010-04-02 14:18:33 +08:00
|
|
|
session->magic = L2TP_SESSION_MAGIC;
|
|
|
|
session->tunnel = tunnel;
|
|
|
|
|
|
|
|
session->session_id = session_id;
|
|
|
|
session->peer_session_id = peer_session_id;
|
2012-05-10 07:43:09 +08:00
|
|
|
session->nr = 0;
|
2013-07-03 03:28:59 +08:00
|
|
|
if (tunnel->version == L2TP_HDR_VER_2)
|
|
|
|
session->nr_max = 0xffff;
|
|
|
|
else
|
|
|
|
session->nr_max = 0xffffff;
|
|
|
|
session->nr_window_size = session->nr_max / 2;
|
2013-07-03 03:29:00 +08:00
|
|
|
session->nr_oos_count_max = 4;
|
|
|
|
|
|
|
|
/* Use NR of first received packet */
|
|
|
|
session->reorder_skip = 1;
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
sprintf(&session->name[0], "sess %u/%u",
|
|
|
|
tunnel->tunnel_id, session->session_id);
|
|
|
|
|
|
|
|
skb_queue_head_init(&session->reorder_q);
|
|
|
|
|
|
|
|
INIT_HLIST_NODE(&session->hlist);
|
2010-04-02 14:18:49 +08:00
|
|
|
INIT_HLIST_NODE(&session->global_hlist);
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
if (cfg) {
|
2010-04-02 14:18:49 +08:00
|
|
|
session->pwtype = cfg->pw_type;
|
2010-04-02 14:18:33 +08:00
|
|
|
session->send_seq = cfg->send_seq;
|
|
|
|
session->recv_seq = cfg->recv_seq;
|
|
|
|
session->lns_mode = cfg->lns_mode;
|
2010-04-02 14:18:49 +08:00
|
|
|
session->reorder_timeout = cfg->reorder_timeout;
|
|
|
|
session->l2specific_type = cfg->l2specific_type;
|
|
|
|
session->cookie_len = cfg->cookie_len;
|
|
|
|
memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
|
|
|
|
session->peer_cookie_len = cfg->peer_cookie_len;
|
|
|
|
memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
|
|
|
|
2010-04-02 14:18:49 +08:00
|
|
|
l2tp_session_set_header_len(session, tunnel->version);
|
|
|
|
|
2017-08-25 22:22:17 +08:00
|
|
|
refcount_set(&session->ref_count, 1);
|
|
|
|
|
2017-03-31 19:02:27 +08:00
|
|
|
return session;
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
|
|
|
|
2017-03-31 19:02:27 +08:00
|
|
|
return ERR_PTR(-ENOMEM);
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(l2tp_session_create);
|
|
|
|
|
|
|
|
/*****************************************************************************
|
|
|
|
* Init and cleanup
|
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
static __net_init int l2tp_init_net(struct net *net)
|
|
|
|
{
|
2010-04-23 08:53:39 +08:00
|
|
|
struct l2tp_net *pn = net_generic(net, l2tp_net_id);
|
2010-04-02 14:18:49 +08:00
|
|
|
int hash;
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
|
2010-04-02 14:19:16 +08:00
|
|
|
spin_lock_init(&pn->l2tp_tunnel_list_lock);
|
2010-04-02 14:18:33 +08:00
|
|
|
|
2010-04-02 14:18:49 +08:00
|
|
|
for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
|
|
|
|
INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
|
|
|
|
|
2010-04-02 14:19:16 +08:00
|
|
|
spin_lock_init(&pn->l2tp_session_hlist_lock);
|
2010-04-02 14:18:49 +08:00
|
|
|
|
2010-04-02 14:18:33 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-02-01 07:43:03 +08:00
|
|
|
static __net_exit void l2tp_exit_net(struct net *net)
|
|
|
|
{
|
|
|
|
struct l2tp_net *pn = l2tp_pernet(net);
|
|
|
|
struct l2tp_tunnel *tunnel = NULL;
|
2017-11-13 03:30:31 +08:00
|
|
|
int hash;
|
2013-02-01 07:43:03 +08:00
|
|
|
|
|
|
|
rcu_read_lock_bh();
|
|
|
|
list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
|
2017-10-25 21:57:55 +08:00
|
|
|
l2tp_tunnel_delete(tunnel);
|
2013-02-01 07:43:03 +08:00
|
|
|
}
|
|
|
|
rcu_read_unlock_bh();
|
2016-09-02 16:22:54 +08:00
|
|
|
|
2019-05-06 22:44:04 +08:00
|
|
|
if (l2tp_wq)
|
|
|
|
flush_workqueue(l2tp_wq);
|
2016-09-02 16:22:54 +08:00
|
|
|
rcu_barrier();
|
2017-11-13 03:30:31 +08:00
|
|
|
|
|
|
|
for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
|
|
|
|
WARN_ON_ONCE(!hlist_empty(&pn->l2tp_session_hlist[hash]));
|
2013-02-01 07:43:03 +08:00
|
|
|
}
|
|
|
|
|
2010-04-02 14:18:33 +08:00
|
|
|
static struct pernet_operations l2tp_net_ops = {
|
|
|
|
.init = l2tp_init_net,
|
2013-02-01 07:43:03 +08:00
|
|
|
.exit = l2tp_exit_net,
|
2010-04-02 14:18:33 +08:00
|
|
|
.id = &l2tp_net_id,
|
|
|
|
.size = sizeof(struct l2tp_net),
|
|
|
|
};
|
|
|
|
|
|
|
|
static int __init l2tp_init(void)
|
|
|
|
{
|
|
|
|
int rc = 0;
|
|
|
|
|
|
|
|
rc = register_pernet_device(&l2tp_net_ops);
|
|
|
|
if (rc)
|
|
|
|
goto out;
|
|
|
|
|
2014-03-27 09:41:47 +08:00
|
|
|
l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
|
2013-02-01 07:43:00 +08:00
|
|
|
if (!l2tp_wq) {
|
|
|
|
pr_err("alloc_workqueue failed\n");
|
2015-04-04 04:46:09 +08:00
|
|
|
unregister_pernet_device(&l2tp_net_ops);
|
2013-02-01 07:43:00 +08:00
|
|
|
rc = -ENOMEM;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2012-05-16 17:55:56 +08:00
|
|
|
pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
|
2010-04-02 14:18:33 +08:00
|
|
|
|
|
|
|
out:
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit l2tp_exit(void)
|
|
|
|
{
|
|
|
|
unregister_pernet_device(&l2tp_net_ops);
|
2013-02-01 07:43:00 +08:00
|
|
|
if (l2tp_wq) {
|
|
|
|
destroy_workqueue(l2tp_wq);
|
|
|
|
l2tp_wq = NULL;
|
|
|
|
}
|
2010-04-02 14:18:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
module_init(l2tp_init);
|
|
|
|
module_exit(l2tp_exit);
|
|
|
|
|
|
|
|
MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
|
|
|
|
MODULE_DESCRIPTION("L2TP core");
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_VERSION(L2TP_DRV_VERSION);
|