From patchwork Thu May 21 23:57:14 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225465
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 0D2DCC433E0
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:57:57 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id D90B2206D4
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:57:56 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="Ez+zqwBQ"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1729211AbgEUX54 (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:57:56 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59494 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1728762AbgEUX54 (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:57:56 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EDA2DC061A0E
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:57:55 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id y7so7270044ybj.15
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:57:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=SqxOE+9wT9bCDyiiANOmvuVw5V5WdLRN81dGOQgBRMU=;
 b=Ez+zqwBQSBo8ttL7BI+SVaEvfobE1o4Vvj2bxjAuiwVhIQV84fPGmEvXPHEHpdu2vz
 ld6W5rpGxdg+Gc7ZeIAzTwkIsI/9zBGxGTxi89lURBkTJbIPWKXLPs+0iA/OV3mC5D8D
 FFQZrGEMdAwJr9TS9XgA7wFMO1irsKlEM9W09Ql8LpGbpu8qIXE/AmHjG3I31L4aqGwU
 d2+Z79UAL3yvx0KexLKrxgTO2Yczso6Cl6ph2HPs7XurqH71wd8kk1Yey+izsh4iV93e
 XY2jlvx/nDzW810q7WJhwpa0i4Z2z/Y/TuzKDd1h+OlnFa5FqCyCalY4sfBFS2cDTE8v
 4/rQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=SqxOE+9wT9bCDyiiANOmvuVw5V5WdLRN81dGOQgBRMU=;
 b=DxMmzGkpEH/7I1Nd0Np+tOYz9N7N8s9DCBEP5RTEWwxsX0Os47JweVdL9Yr+QYCw14
 Pp6g7Jin5WIOps1HEmNwe1K6SW/teD4lDMlBcwGi+2+EMIjn2KZUi/uUJxXnpK0PFzB7
 rOwYSbMPWIx1VP9ziZW0Vt7/5XMb9eeFE2jfDQobzhVbem7jVEGS96l9fx9bDjOH/AnN
 ZX6tbVwaSxPE4m7/ko+c1Ou8/PDfjS4bJQ7seZY6HPWn0Rgj/hdsDQJYQpLBO7Bzb6AB
 Z5YCv2fxPM5DFXMLIHY8cN6yel0MDikg/vZ1/10isZX6eVMAhJLsUAFpsIJFNk6eVA7L
 SrWg==
X-Gm-Message-State: AOAM530kr6FqPyxgEtrCQOc9xvTkUtj+Iqqs6jmUSMQCj4Z/zxd/lxsD
 MVteCHcWK/pMMH2+GrUgJvfd4elRerjnRA==
X-Google-Smtp-Source: ABdhPJxqi8+SghDFWbalyH03Km6jyC671K9FfvKIsIKxAksSTJz13uAFCH8eUN/TJptE8OLaSz0uuBOoVVfYng==
X-Received: by 2002:a05:6902:6d1:: with SMTP id
 m17mr19964040ybt.372.1590105475123; 
 Thu, 21 May 2020 16:57:55 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:14 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-2-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 01/27] l2tp: lock socket before checking flags in connect()
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
 "David S . Miller" <davem@davemloft.net>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Guillaume Nault <g.nault@alphalink.fr>

commit 0382a25af3c771a8e4d5e417d1834cbe28c2aaac upstream.

Socket flags aren't updated atomically, so the socket must be locked
while reading the SOCK_ZAPPED flag.

This issue exists for both l2tp_ip and l2tp_ip6. For IPv6, this patch
also brings error handling for __ip6_datagram_connect() failures.

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 include/net/ipv6.h  |  2 ++
 net/ipv6/datagram.c |  4 +++-
 net/l2tp/l2tp_ip.c  | 19 ++++++++++++-------
 net/l2tp/l2tp_ip6.c | 16 +++++++++++-----
 4 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 6258264a0bf7..94880f07bc06 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -915,6 +915,8 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname,
 int compat_ipv6_getsockopt(struct sock *sk, int level, int optname,
 			   char __user *optval, int __user *optlen);
 
+int __ip6_datagram_connect(struct sock *sk, struct sockaddr *addr,
+			   int addr_len);
 int ip6_datagram_connect(struct sock *sk, struct sockaddr *addr, int addr_len);
 int ip6_datagram_connect_v6_only(struct sock *sk, struct sockaddr *addr,
 				 int addr_len);
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index f33154365b64..389b6367a810 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -40,7 +40,8 @@ static bool ipv6_mapped_addr_any(const struct in6_addr *a)
 	return ipv6_addr_v4mapped(a) && (a->s6_addr32[3] == 0);
 }
 
-static int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
+			   int addr_len)
 {
 	struct sockaddr_in6	*usin = (struct sockaddr_in6 *) uaddr;
 	struct inet_sock	*inet = inet_sk(sk);
@@ -213,6 +214,7 @@ out:
 	fl6_sock_release(flowlabel);
 	return err;
 }
+EXPORT_SYMBOL_GPL(__ip6_datagram_connect);
 
 int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 {
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 58f87bdd12c7..fab122cc6aac 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -321,21 +321,24 @@ static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
 	struct sockaddr_l2tpip *lsa = (struct sockaddr_l2tpip *) uaddr;
 	int rc;
 
-	if (sock_flag(sk, SOCK_ZAPPED)) /* Must bind first - autobinding does not work */
-		return -EINVAL;
-
 	if (addr_len < sizeof(*lsa))
 		return -EINVAL;
 
 	if (ipv4_is_multicast(lsa->l2tp_addr.s_addr))
 		return -EINVAL;
 
-	rc = ip4_datagram_connect(sk, uaddr, addr_len);
-	if (rc < 0)
-		return rc;
-
 	lock_sock(sk);
 
+	/* Must bind first - autobinding does not work */
+	if (sock_flag(sk, SOCK_ZAPPED)) {
+		rc = -EINVAL;
+		goto out_sk;
+	}
+
+	rc = __ip4_datagram_connect(sk, uaddr, addr_len);
+	if (rc < 0)
+		goto out_sk;
+
 	l2tp_ip_sk(sk)->peer_conn_id = lsa->l2tp_conn_id;
 
 	write_lock_bh(&l2tp_ip_lock);
@@ -343,7 +346,9 @@ static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
 	sk_add_bind_node(sk, &l2tp_ip_bind_table);
 	write_unlock_bh(&l2tp_ip_lock);
 
+out_sk:
 	release_sock(sk);
+
 	return rc;
 }
 
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 2b5230ef8536..59e609f2db64 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -383,9 +383,6 @@ static int l2tp_ip6_connect(struct sock *sk, struct sockaddr *uaddr,
 	int	addr_type;
 	int rc;
 
-	if (sock_flag(sk, SOCK_ZAPPED)) /* Must bind first - autobinding does not work */
-		return -EINVAL;
-
 	if (addr_len < sizeof(*lsa))
 		return -EINVAL;
 
@@ -402,10 +399,18 @@ static int l2tp_ip6_connect(struct sock *sk, struct sockaddr *uaddr,
 			return -EINVAL;
 	}
 
-	rc = ip6_datagram_connect(sk, uaddr, addr_len);
-
 	lock_sock(sk);
 
+	 /* Must bind first - autobinding does not work */
+	if (sock_flag(sk, SOCK_ZAPPED)) {
+		rc = -EINVAL;
+		goto out_sk;
+	}
+
+	rc = __ip6_datagram_connect(sk, uaddr, addr_len);
+	if (rc < 0)
+		goto out_sk;
+
 	l2tp_ip6_sk(sk)->peer_conn_id = lsa->l2tp_conn_id;
 
 	write_lock_bh(&l2tp_ip6_lock);
@@ -413,6 +418,7 @@ static int l2tp_ip6_connect(struct sock *sk, struct sockaddr *uaddr,
 	sk_add_bind_node(sk, &l2tp_ip6_bind_table);
 	write_unlock_bh(&l2tp_ip6_lock);
 
+out_sk:
 	release_sock(sk);
 
 	return rc;

From patchwork Thu May 21 23:57:16 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225464
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 4CFFFC433DF
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:02 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 1B12B2078B
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:02 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="KxpPr8AG"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1729805AbgEUX6B (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:58:01 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59510 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1729771AbgEUX6B (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:58:01 -0400
Received: from mail-qk1-x74a.google.com (mail-qk1-x74a.google.com
 [IPv6:2607:f8b0:4864:20::74a])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 32088C061A0E
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:00 -0700 (PDT)
Received: by mail-qk1-x74a.google.com with SMTP id v6so9280255qkh.7
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=mJgEjWomeKju0JzVX7y/k1in+JffRXKgCUSin9ZeegY=;
 b=KxpPr8AG30vqYwqJMZsyFyDDQwg7RS5hmcFV9gZ0rf/hXorlQsLPQ9RvWI2M5kqbOK
 X2mYdLcgD5V24sAZuNjfc9CsoUfs14m1KuX/gaBvC/a9tYKVRQM8rQBq6aW5wiwEc536
 XsPPVyNUvIYeoR6nHSLqY8zUfkl1klw+KZmJzt5wS/6oMwlwQ97K94UexFmI2c3IlToL
 14tBwH3LfutN7h6tBHSrv9jZrye8rnxanDzOaTjerWn6p6uPPqmXbf2kv7BgdPZ1p7Lj
 0IdELwtr6XsFf8AwmJWuwK3tG+7Tfu35G/nIagIsOFyAPShcTfYQaNpfxL6kjEsZJSK6
 JnNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=mJgEjWomeKju0JzVX7y/k1in+JffRXKgCUSin9ZeegY=;
 b=ZGGJPO0p8E5Sn6lhkWUfcWsizbYsPTvGloENfIirf7pG5BC8B4R1V6tTrguqtQyTcp
 ZgqRJ5j1sGrS8zEMzI4QU6zaFA9+Qy1tqGhoX+EC67HHFRGWgBrByfMJKcxJZZ6zHGxO
 MDy2mc4bScqAWhKm1p8hvhTAZ4VSGNcuPCdqEwr8E/Vmt5cqMeqsIW/GoD6Gy0vrpyVw
 N3i810+ckpOZ42vLIF5LQCs7mYlPMi1taA7ZKmJxINCQfiRfNF/vmYXS4fjehnwwtCzy
 KbTPA9/qQ1ySqqoicU/fQHaMpcSsnuF9aL6+fHtMbR79z4b+4WNGxvb1FNYTXxC63Yg3
 EdDA==
X-Gm-Message-State: AOAM530PZfrtgfyc/RQLNWn7lkQ6axI6wsAx+APiImPF30G14ebaEDqF
 7Ce4zc5B6JNO9tON/HvXHBrIfdegV5CEzA==
X-Google-Smtp-Source: ABdhPJyDXxE4UON09Z1fwhOZ7JjVdRmwyX5xXJBgdiMEAlKK6ihhghuR35Z32ijvE0gG1GeazlaMGaDdppLGYg==
X-Received: by 2002:ad4:466f:: with SMTP id z15mr1284082qvv.101.1590105479340; 
 Thu, 21 May 2020 16:57:59 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:16 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-4-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 03/27] l2tp: hold session while sending creation notifications
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
 "David S . Miller" <davem@davemloft.net>,
 Amit Pundir <amit.pundir@linaro.org>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Guillaume Nault <g.nault@alphalink.fr>

commit 5e6a9e5a3554a5b3db09cdc22253af1849c65dff upstream.

l2tp_session_find() doesn't take any reference on the returned session.
Therefore, the session may disappear while sending the notification.

Use l2tp_session_get() instead and decrement session's refcount once
the notification is sent.

Backporting Notes

This is a backport of a backport.

Fixes: 33f72e6f0c67 ("l2tp : multicast notification to the registered listeners")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 net/l2tp/l2tp_netlink.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index fb3248ff8b48..43f0af1c4697 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -626,10 +626,12 @@ static int l2tp_nl_cmd_session_create(struct sk_buff *skb, struct genl_info *inf
 			session_id, peer_session_id, &cfg);
 
 	if (ret >= 0) {
-		session = l2tp_session_find(net, tunnel, session_id);
-		if (session)
+		session = l2tp_session_get(net, tunnel, session_id, false);
+		if (session) {
 			ret = l2tp_session_notify(&l2tp_nl_family, info, session,
 						  L2TP_CMD_SESSION_CREATE);
+			l2tp_session_dec_refcount(session);
+		}
 	}
 
 out:

From patchwork Thu May 21 23:57:18 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225463
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 367C7C433E0
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:05 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 144A2206D4
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:05 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="fh/kwZlN"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1729812AbgEUX6E (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:58:04 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59526 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1729771AbgEUX6E (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:58:04 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 310E5C061A0E
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:04 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id r18so7244520ybg.10
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=1zP5YXAUai9NuLktmpuGTocokd0bJMpEb1yVDiy65/A=;
 b=fh/kwZlNEVPnuAsQS6Bx+7SW5tX2XzaILyGIlW11Ng6XwBI525AE6Wtf09aT//NBnF
 UtvTKRLQFajvsX2YjKaitjbvB0iIerJPdYc3KKWOML5kQc4VWxAE8cnO/6fcQ/nHflS0
 4bczsemVOq+XsJiTdA7att67niD5l09crBGNK/VTpSSyGVMLqO7CU2dUoQrk5O0xwV2v
 /gu8ULKD/UfC5D4N1aj4L8AMF6YuAay9DP077i4934rIF94JYK1O+UPHxWkE3bTCsx/3
 eG+8ozQPlVP1e305rJrDLe5JzfdmOjwGJpCf31C58p+l3PIvS2cGrECszjRsDA677MGc
 5uqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=1zP5YXAUai9NuLktmpuGTocokd0bJMpEb1yVDiy65/A=;
 b=dP0thMH6HteBykq4oRXQqTE/rjV/y0AbXGiYa3Zfn/AHVOzLmddNHcMUiKk1cOtluK
 kADQJsxXt9lFKmMXRgE1WEXl4lTT/pk7Kx7nVVrUJHhhG8DwJ1HdDbPGTHwbwqFBqLwy
 R5YFYF3ZlzawylhWJ0FEPqlVL1+dvd+Uf2W8/lFFb9m1cLiojvvbXPnlOJA7pnL/PJNC
 Ypcy4CqawS6ASilkY8yW4Z6dJvmwgatGip7L/rLz9Z0f6n1+dWlpVDAWHHs+pHdf32Lh
 awV+xkn9c17vvtLW0d1+3g0+RjgGGULWruHqXkXPG5uk6dG1B8CSF84vAuQ8tk0V49jd
 OdKw==
X-Gm-Message-State: AOAM5326KkrMpuAVQyR74SeQscjSxkPNISgsOtaw9RNufkGLC6UJlIBl
 V/bmPSnOFUopRuFpB67Fw292H5yaouw+zg==
X-Google-Smtp-Source: ABdhPJxdsLDkh+qhF2pe+LDdDz568BrUdV387TwlLHe9tITe1HilU6ungAQ9YcD27yNmthBCTbQXJDG6LkHX8A==
X-Received: by 2002:a25:76c5:: with SMTP id
 r188mr10775588ybc.71.1590105483431; 
 Thu, 21 May 2020 16:58:03 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:18 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-6-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 05/27] l2tp: don't use l2tp_tunnel_find() in l2tp_ip and
 l2tp_ip6
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
 "David S . Miller" <davem@davemloft.net>, Nicolas Schier <n.schier@avm.de>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Guillaume Nault <g.nault@alphalink.fr>

commit 8f7dc9ae4a7aece9fbc3e6637bdfa38b36bcdf09 upstream.

Using l2tp_tunnel_find() in l2tp_ip_recv() is wrong for two reasons:

  * It doesn't take a reference on the returned tunnel, which makes the
    call racy wrt. concurrent tunnel deletion.

  * The lookup is only based on the tunnel identifier, so it can return
    a tunnel that doesn't match the packet's addresses or protocol.

For example, a packet sent to an L2TPv3 over IPv6 tunnel can be
delivered to an L2TPv2 over UDPv4 tunnel. This is worse than a simple
cross-talk: when delivering the packet to an L2TP over UDP tunnel, the
corresponding socket is UDP, where ->sk_backlog_rcv() is NULL. Calling
sk_receive_skb() will then crash the kernel by trying to execute this
callback.

And l2tp_tunnel_find() isn't even needed here. __l2tp_ip_bind_lookup()
properly checks the socket binding and connection settings. It was used
as a fallback mechanism for finding tunnels that didn't have their data
path registered yet. But it's not limited to this case and can be used
to replace l2tp_tunnel_find() in the general case.

Fix l2tp_ip6 in the same way.

Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Nicolas Schier <n.schier@avm.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 net/l2tp/l2tp_ip.c  | 22 ++++++++--------------
 net/l2tp/l2tp_ip6.c | 23 ++++++++---------------
 2 files changed, 16 insertions(+), 29 deletions(-)

diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 2a77732c6496..fd7363f8405a 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -122,6 +122,7 @@ static int l2tp_ip_recv(struct sk_buff *skb)
 	unsigned char *ptr, *optr;
 	struct l2tp_session *session;
 	struct l2tp_tunnel *tunnel = NULL;
+	struct iphdr *iph;
 	int length;
 
 	if (!pskb_may_pull(skb, 4))
@@ -180,23 +181,16 @@ pass_up:
 		goto discard;
 
 	tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
-	tunnel = l2tp_tunnel_find(net, tunnel_id);
-	if (tunnel) {
-		sk = tunnel->sock;
-		sock_hold(sk);
-	} else {
-		struct iphdr *iph = (struct iphdr *) skb_network_header(skb);
+	iph = (struct iphdr *)skb_network_header(skb);
 
-		read_lock_bh(&l2tp_ip_lock);
-		sk = __l2tp_ip_bind_lookup(net, iph->daddr, 0, tunnel_id);
-		if (!sk) {
-			read_unlock_bh(&l2tp_ip_lock);
-			goto discard;
-		}
-
-		sock_hold(sk);
+	read_lock_bh(&l2tp_ip_lock);
+	sk = __l2tp_ip_bind_lookup(net, iph->daddr, 0, tunnel_id);
+	if (!sk) {
 		read_unlock_bh(&l2tp_ip_lock);
+		goto discard;
 	}
+	sock_hold(sk);
+	read_unlock_bh(&l2tp_ip_lock);
 
 	if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
 		goto discard_put;
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 4d4561dd4023..5bb5337e74fc 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -134,6 +134,7 @@ static int l2tp_ip6_recv(struct sk_buff *skb)
 	unsigned char *ptr, *optr;
 	struct l2tp_session *session;
 	struct l2tp_tunnel *tunnel = NULL;
+	struct ipv6hdr *iph;
 	int length;
 
 	if (!pskb_may_pull(skb, 4))
@@ -193,24 +194,16 @@ pass_up:
 		goto discard;
 
 	tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
-	tunnel = l2tp_tunnel_find(net, tunnel_id);
-	if (tunnel) {
-		sk = tunnel->sock;
-		sock_hold(sk);
-	} else {
-		struct ipv6hdr *iph = ipv6_hdr(skb);
-
-		read_lock_bh(&l2tp_ip6_lock);
-		sk = __l2tp_ip6_bind_lookup(net, &iph->daddr,
-					    0, tunnel_id);
-		if (!sk) {
-			read_unlock_bh(&l2tp_ip6_lock);
-			goto discard;
-		}
+	iph = ipv6_hdr(skb);
 
-		sock_hold(sk);
+	read_lock_bh(&l2tp_ip6_lock);
+	sk = __l2tp_ip6_bind_lookup(net, &iph->daddr, 0, tunnel_id);
+	if (!sk) {
 		read_unlock_bh(&l2tp_ip6_lock);
+		goto discard;
 	}
+	sock_hold(sk);
+	read_unlock_bh(&l2tp_ip6_lock);
 
 	if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
 		goto discard_put;

From patchwork Thu May 21 23:57:20 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225462
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 041C7C433E0
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:11 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id D14E9206D4
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:10 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="aFZftlbI"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1729851AbgEUX6K (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:58:10 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59544 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1729771AbgEUX6J (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:58:09 -0400
Received: from mail-qt1-x84a.google.com (mail-qt1-x84a.google.com
 [IPv6:2607:f8b0:4864:20::84a])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5805AC061A0E
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:08 -0700 (PDT)
Received: by mail-qt1-x84a.google.com with SMTP id r9so9663316qtn.20
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc:content-transfer-encoding;
 bh=kDFl6yGm4aHUMU9L0i8tjs7DIH/mLKt3c+c4Oc1QHYc=;
 b=aFZftlbIbl4V86IKewAc+CrhC0avTBnDPJyqHUf0cFxZMFksqzjuMNCsa2plhPxQBM
 E3bKMJUdQ2xPk8gFJGdrWRjdTbs37+nFcb+Y8j1GYaALttSeJ/jO6XlHSssefW6xpz4i
 n/7U1RfCW7i9PXfdtKZnsG+9jy8+WrmhsU5V8f02cOPqQDjMN20sZI+fz970ueUVb2kN
 jkb2o8FsIhYTc3KKd19ndfkogCY1/q0ty58DX65KOEQlWTc3OT79Iw8VwaFoL48e78tV
 siFE9eVX14kNevf7X5svoMAWJifJqaGIfwX25FFcy1NQm730OJhS1d9BjJr3cOoZbCN5
 LrpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc:content-transfer-encoding;
 bh=kDFl6yGm4aHUMU9L0i8tjs7DIH/mLKt3c+c4Oc1QHYc=;
 b=V+oT8IoYoKssyyg6bdykG9Le8CQXNipgiPS8TvlKk3aMdJSGpgluI5ZUkTvEFGu0kJ
 m/QYo3ySIgtbY6STvQmvwkJLI6KD5tIIkuI45YW38ecm3jI0V83ztAzc/lPSn+0V//2x
 D7xApOP1Ke4STzQjmzZhccu56pT7aLjybAjSYVc4SFUNrWYksYcgywrXF/4pvFr73YCr
 n/t1uVjwohfLBQ5E5+aE0cSLNS9aEKtVovKxojkmcmrPAB5/Ppujc0G10TCD+0+noF1a
 GVH0SW3Ncn3I1ovF6QmFI4x0tfg52yJkDIgj9NY+LL1Mi9SC6iRY8vLPdhEyIDQqVlaZ
 Nyvg==
X-Gm-Message-State: AOAM531tmuGIoWShtE2+Nsy/e4YHG96SU+VzfM3HYBh1rhyOL4ZWUGOk
 tBpwmgviEGnV9hNL4KRd3LDJpXCg6G0gmA==
X-Google-Smtp-Source: ABdhPJw2cQio34eun+a8qKBQAa4oYnmZ7LmSHgDEa0A8qF4D4womKvzNH5f6ati64aZKq/OrHq+IU57gIrsDtA==
X-Received: by 2002:a0c:8e84:: with SMTP id x4mr1254714qvb.175.1590105487453; 
 Thu, 21 May 2020 16:58:07 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:20 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-8-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 07/27] net: l2tp: deprecate PPPOL2TP_MSG_* in favour of
 L2TP_MSG_*
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, "=?UTF-8?q?Asbj=C3=B8rn=20Sloth=20T=C3=B8nnesen?=" 
 <asbjorn@asbjorn.st>, "David S . Miller" <davem@davemloft.net>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Asbjørn Sloth Tønnesen <asbjorn@asbjorn.st>

commit 47c3e7783be4e142b861d34b5c2e223330b05d8a upstream.

PPPOL2TP_MSG_* and L2TP_MSG_* are duplicates, and are being used
interchangeably in the kernel, so let's standardize on L2TP_MSG_*
internally, and keep PPPOL2TP_MSG_* defined in UAPI for compatibility.

Signed-off-by: Asbjoern Sloth Toennesen <asbjorn@asbjorn.st>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 Documentation/networking/l2tp.txt |  8 ++++----
 include/uapi/linux/if_pppol2tp.h  | 13 ++++++-------
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/Documentation/networking/l2tp.txt b/Documentation/networking/l2tp.txt
index 4650a00ed012..9bc271cdc9a8 100644
--- a/Documentation/networking/l2tp.txt
+++ b/Documentation/networking/l2tp.txt
@@ -177,10 +177,10 @@ setsockopt on the PPPoX socket to set a debug mask.
 
 The following debug mask bits are available:
 
-PPPOL2TP_MSG_DEBUG    verbose debug (if compiled in)
-PPPOL2TP_MSG_CONTROL  userspace - kernel interface
-PPPOL2TP_MSG_SEQ      sequence numbers handling
-PPPOL2TP_MSG_DATA     data packets
+L2TP_MSG_DEBUG    verbose debug (if compiled in)
+L2TP_MSG_CONTROL  userspace - kernel interface
+L2TP_MSG_SEQ      sequence numbers handling
+L2TP_MSG_DATA     data packets
 
 If enabled, files under a l2tp debugfs directory can be used to dump
 kernel state about L2TP tunnels and sessions. To access it, the
diff --git a/include/uapi/linux/if_pppol2tp.h b/include/uapi/linux/if_pppol2tp.h
index 163e8adac2d6..de246e9f4974 100644
--- a/include/uapi/linux/if_pppol2tp.h
+++ b/include/uapi/linux/if_pppol2tp.h
@@ -17,6 +17,7 @@
 
 #include <linux/types.h>
 
+#include <linux/l2tp.h>
 
 /* Structure used to connect() the socket to a particular tunnel UDP
  * socket over IPv4.
@@ -89,14 +90,12 @@ enum {
 	PPPOL2TP_SO_REORDERTO	= 5,
 };
 
-/* Debug message categories for the DEBUG socket option */
+/* Debug message categories for the DEBUG socket option (deprecated) */
 enum {
-	PPPOL2TP_MSG_DEBUG	= (1 << 0),	/* verbose debug (if
-						 * compiled in) */
-	PPPOL2TP_MSG_CONTROL	= (1 << 1),	/* userspace - kernel
-						 * interface */
-	PPPOL2TP_MSG_SEQ	= (1 << 2),	/* sequence numbers */
-	PPPOL2TP_MSG_DATA	= (1 << 3),	/* data packets */
+	PPPOL2TP_MSG_DEBUG	= L2TP_MSG_DEBUG,
+	PPPOL2TP_MSG_CONTROL	= L2TP_MSG_CONTROL,
+	PPPOL2TP_MSG_SEQ	= L2TP_MSG_SEQ,
+	PPPOL2TP_MSG_DATA	= L2TP_MSG_DATA,
 };
 
 

From patchwork Thu May 21 23:57:22 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225461
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 9665FC433E1
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:13 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 724D2206D4
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:13 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="H4m7ktKG"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1729874AbgEUX6N (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:58:13 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59558 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1729771AbgEUX6M (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:58:12 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B8D6C061A0E
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:12 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id 186so7284090ybq.1
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=xo+wusjQ3apmlZ8lyrHuft8+VHE/2u5OsjWNlhYSErs=;
 b=H4m7ktKGSbfRcqIcMOxf7oGPXMUr7Gvv05fLa6hQ4dG+1hKp1og1qcQosPrT1ObGDz
 snLqfVp+BDm0GVbFaladkcUGmlOgHtzm3ie0tzRtb0/p/OYE4f+0AqSDRvHqGpo2NFF0
 JEh7Q7xS/OdCD0KBQ5VutjCqb798A0cI4Rs18h48w7O/c47uFA3NTGxzcezv6iwGsi9I
 TbiPugEHOxC048LAzpEFoqUc+ToOBSFniSc3OAw3jJ7RouaShTJVXvjhAlUaDrB1Eu2w
 TiHb03skdj6P8gzTHjI/GwW4sP7OwzsOb82G6qLAJAnNsxCVT1u/cG/T8MiN0GLicJWE
 HTmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=xo+wusjQ3apmlZ8lyrHuft8+VHE/2u5OsjWNlhYSErs=;
 b=thFiE+ZRdzZz88bqbEvvWQ3ZvnlInlm+bshzvV0+DKTvr8ZfVt+05ERGqF8i2ug3/F
 lPua73ahpe/DdVz3pIn5WzFphN8EU0WZO7aTZ1UIztZeASpcWjJdnFU/ix+SotfrvxPW
 u7/dgO5CbiOfHU5Ka48m/cDZemOcgnrTn618je8L59N92Zpbuec/4E8zcbR5XAgjFBd5
 eyq76+2WQ9XHX0uf742WHh2mK6XtOH5UXu37k0MfWENmHxtYLHb3DOEoicaOd74kaG/V
 ld5qv7iV9go7iVDEB/SLtXebHNLF1sPFAZv1dDD5bWPiT4BPLsFw8tX/4n6YYM3vMWQQ
 CvzQ==
X-Gm-Message-State: AOAM532iYvxLiepkiD21jHXGoNf8lhd0cnFveYy/rgFZpdGegKPWGe04
 //4NaHgq1sDWeeAf3qp5w2MVnJXEUMy3lA==
X-Google-Smtp-Source: ABdhPJx1L0d5WZDHShB7k9bHtVrGrpQcUj50rAnRIl+g6rMsbRdnVBsWF+TQS7fC+ztupiRZYOJYsUVrVvG13g==
X-Received: by 2002:a25:f507:: with SMTP id a7mr19878670ybe.176.1590105491790; 
 Thu, 21 May 2020 16:58:11 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:22 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-10-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 09/27] New kernel function to get IP overhead on a socket.
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, "R. Parameswaran" <parameswaran.r7@gmail.com>,
 "R . Parameswaran" <rparames@brocade.com>,
 "David S . Miller" <davem@davemloft.net>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: "R. Parameswaran" <parameswaran.r7@gmail.com>

commit 113c3075931a334f899008f6c753abe70a3a9323 upstream.

A new function, kernel_sock_ip_overhead(), is provided
to calculate the cumulative overhead imposed by the IP
Header and IP options, if any, on a socket's payload.
The new function returns an overhead of zero for sockets
that do not belong to the IPv4 or IPv6 address families.
This is used in the L2TP code path to compute the
total outer IP overhead on the L2TP tunnel socket when
calculating the default MTU for Ethernet pseudowires.

Signed-off-by: R. Parameswaran <rparames@brocade.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 include/linux/net.h |  3 +++
 net/socket.c        | 46 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/include/linux/net.h b/include/linux/net.h
index c00b8d182226..a0c6c00ac166 100644
--- a/include/linux/net.h
+++ b/include/linux/net.h
@@ -291,6 +291,9 @@ int kernel_sendpage(struct socket *sock, struct page *page, int offset,
 int kernel_sock_ioctl(struct socket *sock, int cmd, unsigned long arg);
 int kernel_sock_shutdown(struct socket *sock, enum sock_shutdown_cmd how);
 
+/* Following routine returns the IP overhead imposed by a socket.  */
+u32 kernel_sock_ip_overhead(struct sock *sk);
+
 #define MODULE_ALIAS_NETPROTO(proto) \
 	MODULE_ALIAS("net-pf-" __stringify(proto))
 
diff --git a/net/socket.c b/net/socket.c
index 15bdba4211ad..1a2a7320554b 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -3304,3 +3304,49 @@ int kernel_sock_shutdown(struct socket *sock, enum sock_shutdown_cmd how)
 	return sock->ops->shutdown(sock, how);
 }
 EXPORT_SYMBOL(kernel_sock_shutdown);
+
+/* This routine returns the IP overhead imposed by a socket i.e.
+ * the length of the underlying IP header, depending on whether
+ * this is an IPv4 or IPv6 socket and the length from IP options turned
+ * on at the socket.
+ */
+u32 kernel_sock_ip_overhead(struct sock *sk)
+{
+	struct inet_sock *inet;
+	struct ip_options_rcu *opt;
+	u32 overhead = 0;
+	bool owned_by_user;
+#if IS_ENABLED(CONFIG_IPV6)
+	struct ipv6_pinfo *np;
+	struct ipv6_txoptions *optv6 = NULL;
+#endif /* IS_ENABLED(CONFIG_IPV6) */
+
+	if (!sk)
+		return overhead;
+
+	owned_by_user = sock_owned_by_user(sk);
+	switch (sk->sk_family) {
+	case AF_INET:
+		inet = inet_sk(sk);
+		overhead += sizeof(struct iphdr);
+		opt = rcu_dereference_protected(inet->inet_opt,
+						owned_by_user);
+		if (opt)
+			overhead += opt->opt.optlen;
+		return overhead;
+#if IS_ENABLED(CONFIG_IPV6)
+	case AF_INET6:
+		np = inet6_sk(sk);
+		overhead += sizeof(struct ipv6hdr);
+		if (np)
+			optv6 = rcu_dereference_protected(np->opt,
+							  owned_by_user);
+		if (optv6)
+			overhead += (optv6->opt_flen + optv6->opt_nflen);
+		return overhead;
+#endif /* IS_ENABLED(CONFIG_IPV6) */
+	default: /* Returns 0 overhead if the socket is not ipv4 or ipv6 */
+		return overhead;
+	}
+}
+EXPORT_SYMBOL(kernel_sock_ip_overhead);

From patchwork Thu May 21 23:57:24 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225460
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id D130BC433DF
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:18 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 9A868206D4
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:18 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="XK2BIkkJ"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1729903AbgEUX6S (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:58:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59572 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1729771AbgEUX6R (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:58:17 -0400
Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com
 [IPv6:2607:f8b0:4864:20::b4a])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE2E9C061A0E
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:16 -0700 (PDT)
Received: by mail-yb1-xb4a.google.com with SMTP id h129so7185094ybc.3
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=2q/ZTBKe+rRPOeAAmyf/c5a7kWQroO0f0bXwxZRItkU=;
 b=XK2BIkkJ6en/Le5R/K3FVqG8dUUmabBQm/ZFmyh47WlYZYkkibMogVbcalUbEqf57K
 vRiv7QkgbXIAGa6G09DN4nVlDt1RpqsSV4VK35XXfaEAEBATysssCvjfxpzl98uO5wsL
 kMD7H4sKxA+0bCpDs7Q3a4W/O/i648TlkMb+mZ5jZBOHa5mewGnLWNUCuZv2Qv/L+8nc
 6NI1Ww7mNrk+dMDD991Pg9jYk2mk102WCon72ZR+iBuHa/pCppxMwLdscwOFqg8usqWI
 +BSN1Lt+UnKqRFi1vDdzfJtFfxnOKjDKWrqRhLG8yjtrPb8uDIr9kFnezM5HCnyU4RmZ
 AGbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=2q/ZTBKe+rRPOeAAmyf/c5a7kWQroO0f0bXwxZRItkU=;
 b=Epqzla4xJlGrp1CdlMxjnEqhOqOrJlQ0TzpPFgE1F5FUeDc2gQAYvIF+3qB5+PpRhz
 k4DNeGzNIzELccTHtjWTkagh+I4SsxAb8gAW2eD7YGWR7mxQKDbATj3gYeD/G0wdUsbA
 mdjgTMfGKsd5IT1RmL6FzgfooI35zUjKdvgYqIefoUtxnGg2+T/jYTMWwvRRYiIBfcuS
 8NKLi/YArBR7o19z/qC3DtbNq5SIUN/kKJzDMWH2WVN2sk0YlC0jQbeObdaTz4ZwWI4I
 YnCNacguUY9JLt0ooekP74DThKrM33WSup2TImi/ZYdL/bF8yY+HHPt/Gbe4eXr68fyM
 /RFQ==
X-Gm-Message-State: AOAM532+c23KzBbE9ostj3VoX4HEN86Wc7L1O5gbI3eKieKr9gNxMxSU
 X4JtJRgCojdC9IT3Gl5atTx+5d0YrYN3kQ==
X-Google-Smtp-Source: ABdhPJzUQ7p1NirNCHTp+diuqsg1PYCVVTK+7ZlJRHdZuLx5BgLC2oVdDY0kj/sF5ESAcCNcUFbP4kLzCcuKHw==
X-Received: by 2002:a25:cb53:: with SMTP id b80mr1316469ybg.480.1590105495920; 
 Thu, 21 May 2020 16:58:15 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:24 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-12-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 11/27] l2tp: remove useless duplicate session detection in
 l2tp_netlink
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
 "David S . Miller" <davem@davemloft.net>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Guillaume Nault <g.nault@alphalink.fr>

commit af87ae465abdc070de0dc35d6c6a9e7a8cd82987 upstream.

There's no point in checking for duplicate sessions at the beginning of
l2tp_nl_cmd_session_create(); the ->session_create() callbacks already
return -EEXIST when the session already exists.

Furthermore, even if l2tp_session_find() returns NULL, a new session
might be created right after the test. So relying on ->session_create()
to avoid duplicate session is the only sane behaviour.

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 net/l2tp/l2tp_netlink.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index 63a2430ff40a..afee3d54e5ef 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -505,11 +505,6 @@ static int l2tp_nl_cmd_session_create(struct sk_buff *skb, struct genl_info *inf
 		goto out;
 	}
 	session_id = nla_get_u32(info->attrs[L2TP_ATTR_SESSION_ID]);
-	session = l2tp_session_find(net, tunnel, session_id);
-	if (session) {
-		ret = -EEXIST;
-		goto out;
-	}
 
 	if (!info->attrs[L2TP_ATTR_PEER_SESSION_ID]) {
 		ret = -EINVAL;

From patchwork Thu May 21 23:57:26 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225459
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 1D5ACC433DF
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:22 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id EF35D206D4
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:21 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="dJMhUgQk"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1729904AbgEUX6V (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:58:21 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59586 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1729771AbgEUX6V (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:58:21 -0400
Received: from mail-qv1-xf49.google.com (mail-qv1-xf49.google.com
 [IPv6:2607:f8b0:4864:20::f49])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 365F7C061A0E
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:21 -0700 (PDT)
Received: by mail-qv1-xf49.google.com with SMTP id d11so8857610qvv.10
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=NwYuFW/Davgu6yg+PTdQ2BZfaJXuhvD0Ti2cpme4TNQ=;
 b=dJMhUgQkP4OHKMinyQ0ykcYTN5ZTIKrZIgkd9T7Qzc58Q7SPVnTJVLpbOvc1CBjGfW
 sFv2OQtbK3imdNhWkZINyhai/mq9MZMjRpz1q1GhMZGLSXAhrl5fLsfcmlCN97NXE3ur
 pINbcjDBVBQH3ll1KJCs6u8z1BEEqXvPIfVO+Xg+IBPNUZLbhtMcJuucQLiEHJQuDH+J
 hOdhZB4XK5GIXh9bRITqkvYLO6zNhJZKyLlxEHhKP7zDVZWxP0O1yjxJttSVlRaWrDvu
 D87TqvMWzwaU6iHhCl1ndfBkCO9RS1n+ZdRbU4M1eecFaiZza+iC2W5up1zzPR0b/yuh
 LTjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=NwYuFW/Davgu6yg+PTdQ2BZfaJXuhvD0Ti2cpme4TNQ=;
 b=sEEW8gswmvrGqBHsPGYvg+K+D4DG7RJ72tawsgr5Cb5DNv+CZ8ESDN48oqBjwTS7kd
 4dYBEE6mESIyf4m+WaRZBwSaWDpZQOFKOcjRNzHUeN8TJ2QqerXkitW/bGDUN34Ldcu3
 WtAk5d/Sr5Lc7+T+6u4vr4auTl+wtNVKNb6Pod8hJ7KNfpUjVIGfibAuy48rENYA0MUi
 YMyI+h1+6hnnjdWH+HOdf0f28iOh+4/pttxYbm1U3JJ0djS6H/yPtAVR6mjclWHiG9QO
 xPySroPXL2Y5A1him9mJfZoeGMTRBoNYUjrM4NAwp7BYxMaFZL1jnpmGXTKm7fCmZYt1
 2qkw==
X-Gm-Message-State: AOAM531lNie3ndQDwf5G/JuUPwCxLWbj+ZWg/M2hlRjjoG7hEyIKBZ7f
 FDi2cs51s/JxdQ6Rt5pW0Q2QhBOzyftRwA==
X-Google-Smtp-Source: ABdhPJz5IHidReJytAupVnI1MkrAPVhwTUPUXpSD5y8JH+JiYV5YFp+vx2pNIU9Onf4VMgxcMTqNcrT/MhdNLQ==
X-Received: by 2002:ad4:536a:: with SMTP id e10mr1232763qvv.246.1590105500376; 
 Thu, 21 May 2020 16:58:20 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:26 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-14-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 13/27] l2tp: define parameters of l2tp_session_get*() as
 "const"
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
 "David S . Miller" <davem@davemloft.net>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Guillaume Nault <g.nault@alphalink.fr>

commit 9aaef50c44f132e040dcd7686c8e78a3390037c5 upstream.

Make l2tp_pernet()'s parameter constant, so that l2tp_session_get*() can
declare their "net" variable as "const".
Also constify "ifname" in l2tp_session_get_by_ifname().

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 net/l2tp/l2tp_core.c | 7 ++++---
 net/l2tp/l2tp_core.h | 5 +++--
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 95fa01b4edc6..4e2859d72167 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -119,7 +119,7 @@ static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
 	return sk->sk_user_data;
 }
 
-static inline struct l2tp_net *l2tp_pernet(struct net *net)
+static inline struct l2tp_net *l2tp_pernet(const struct net *net)
 {
 	BUG_ON(!net);
 
@@ -231,7 +231,7 @@ l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
 /* Lookup a session. A new reference is held on the returned session.
  * Optionally calls session->ref() too if do_ref is true.
  */
-struct l2tp_session *l2tp_session_get(struct net *net,
+struct l2tp_session *l2tp_session_get(const struct net *net,
 				      struct l2tp_tunnel *tunnel,
 				      u32 session_id, bool do_ref)
 {
@@ -306,7 +306,8 @@ EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
 /* Lookup a session by interface name.
  * This is very inefficient but is only used by management interfaces.
  */
-struct l2tp_session *l2tp_session_get_by_ifname(struct net *net, char *ifname,
+struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
+						const char *ifname,
 						bool do_ref)
 {
 	struct l2tp_net *pn = l2tp_pernet(net);
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index 7dc70f73a083..dab75dc4ea48 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -234,12 +234,13 @@ out:
 	return tunnel;
 }
 
-struct l2tp_session *l2tp_session_get(struct net *net,
+struct l2tp_session *l2tp_session_get(const struct net *net,
 				      struct l2tp_tunnel *tunnel,
 				      u32 session_id, bool do_ref);
 struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
 					  bool do_ref);
-struct l2tp_session *l2tp_session_get_by_ifname(struct net *net, char *ifname,
+struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
+						const char *ifname,
 						bool do_ref);
 struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id);
 struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth);

From patchwork Thu May 21 23:57:28 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225458
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 6AB51C433DF
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:26 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 491392078B
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:26 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="UXfYum4g"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1730059AbgEUX6Z (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:58:25 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59602 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1729771AbgEUX6Z (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:58:25 -0400
Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com
 [IPv6:2607:f8b0:4864:20::b4a])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77828C061A0E
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:25 -0700 (PDT)
Received: by mail-yb1-xb4a.google.com with SMTP id i3so123215ybm.12
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=K183wFQPFGPKk6NSzjr/5v+kbtVezQZ2UnZ6d7X9RM0=;
 b=UXfYum4gqu14/a3/WXG8tWpivYj2twTj335UbSNKcq7SH3yrgQyTXmL6SUZl61sfdU
 aRTCdMvBoeqpCFiO91X12Hntn+fxRJcJ+0kkaebAzvjxCwQVzbDc/1OwKcwgrwC69Xh6
 D8OWyVbZzQ2sSd6Kvo6iPZn4OWrQg5MjZtQd6CdOfihYswPx6GOUBUdtoae/OwNsRSrP
 CBMHg3wsLKqH1iqSyC9rlahuQXJIXonl3AOUStqFIb7pLlLYpwnOgGfiBW5j4I2r/EJW
 wr0JQc7ilCtLXcXvifvBseCf3Wn9xbESulgPUtORXsgY+8SthnJg9YN+p2lTjZfpDdBw
 bcoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=K183wFQPFGPKk6NSzjr/5v+kbtVezQZ2UnZ6d7X9RM0=;
 b=E/0YXPnBI0kY7SnK/+VDN5M10CRu3hIXcJDAbsOuRiG7+N9JcM1NKXLKSx68olEJyR
 +mR59ESuLcEtaXhOQvuzhVLurjnzRmuIUVF8DfAPbU3+gQymIUNG+X5Am+NcXk0jNTM2
 xx3O6cPqDLnRbu4bGsioMOlRfb17+J7FXQZTo5xECUaQofpbmptJEuszoHMNwNrG+Tny
 5XIRFJpNtU/Hnqvc4c4cRdDvI44NSUVYu728d/ucuunl11R5zc9pjXpzhxcM59mT0Udo
 j7Sfwpp56ttLBq5EmPOELa/+yFfYffQEMEFVsWMHX2YlLpcfgKbK7qYOES8rEr6kr0HY
 Ot3Q==
X-Gm-Message-State: AOAM530RcV+jI1PeFfpSo1oXextXsdWEldvToAcPCu3O4HikkX6Euf+9
 jckdDpW/483s5sQdnsgz2BydaQn5V4XSog==
X-Google-Smtp-Source: ABdhPJzgwEDy81TohwTK2Px26lX4ImqL/Bf3vWpBNNADn2OFlNVDGN+ph0HU9nQa3i/tNA2tWRuMWqCl7NYF4w==
X-Received: by 2002:a25:4455:: with SMTP id
 r82mr20208868yba.213.1590105504717; 
 Thu, 21 May 2020 16:58:24 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:28 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-16-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 15/27] l2tp: initialise session's refcount before making it
 reachable
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
 "David S . Miller" <davem@davemloft.net>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Guillaume Nault <g.nault@alphalink.fr>

commit 9ee369a405c57613d7c83a3967780c3e30c52ecc upstream.

Sessions must be fully initialised before calling
l2tp_session_add_to_tunnel(). Otherwise, there's a short time frame
where partially initialised sessions can be accessed by external users.

Backporting Notes

l2tp_core.c: moving code that had been converted from atomic to
refcount_t by an earlier change (which isn't being included in this
patch series).

Fixes: dbdbc73b4478 ("l2tp: fix duplicate session creation")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 net/l2tp/l2tp_core.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 7e593e399774..c0abd5efd824 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1853,6 +1853,8 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
 
 		l2tp_session_set_header_len(session, tunnel->version);
 
+		l2tp_session_inc_refcount(session);
+
 		err = l2tp_session_add_to_tunnel(tunnel, session);
 		if (err) {
 			kfree(session);
@@ -1860,10 +1862,6 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
 			return ERR_PTR(err);
 		}
 
-		/* Bump the reference count. The session context is deleted
-		 * only when this drops to zero.
-		 */
-		l2tp_session_inc_refcount(session);
 		l2tp_tunnel_inc_refcount(tunnel);
 
 		/* Ensure tunnel socket isn't deleted */

From patchwork Thu May 21 23:57:30 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225457
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id BE050C433E1
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:31 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 9C247206D4
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:31 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="vIACxHAS"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1730061AbgEUX6b (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:58:31 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59616 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1729771AbgEUX6b (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:58:31 -0400
Received: from mail-qv1-xf4a.google.com (mail-qv1-xf4a.google.com
 [IPv6:2607:f8b0:4864:20::f4a])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE757C061A0E
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:29 -0700 (PDT)
Received: by mail-qv1-xf4a.google.com with SMTP id i1so8800344qvo.21
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=zbp3ybiA9jYjSUhpVVg9Pf+zbN5QQ1/VtDIGjZ8hnfs=;
 b=vIACxHASLeBZIeAfcEWQBITrsopOYKQav8nhevq55IhUw/vI7lxPtQghBNsEaUI7Bn
 UoOsOIbl85hFDOSiN/kdOFeNVz1eFXJxmye9hwUcbOOianG+yHBRqqbktdFiYimDxQeC
 nQckuSdV2uPYbjnAd77A2V3ItwIogtHbkEAr8vGmYeyR70ys74gi0pOafdWg0Enat3aE
 4QbGau6yz/9cFfIDsYHpiqn/MKE5BsPnme5NJEhrpMaabvxg6SrVHPStjdlC1dMKX9ck
 TNj1xs/TyhCm/QOvRyx09Q6Q91Ak0XY27C/Kp7WiRQNiQx4yCCEjKe83O2rJW67xqWdZ
 bv4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=zbp3ybiA9jYjSUhpVVg9Pf+zbN5QQ1/VtDIGjZ8hnfs=;
 b=DUc0cqWeW+OfSg8RQKGAPfru+ZJsopyJZt/8xO7krNfBsIcqs0XlAQQIEBuJD+Xi7O
 IiZkJmn59kjN1pjj2nQnzRAqBdFT9//tiVN2IgsqozHK05vn5njMc1qhHGfNfaIX6DOz
 VoOqYQCB/LqDXSRkqwat/4g5Tqbwmcu3wdsFBsuVH1jo9CpFUQfxoIW1hF01dP6mvipR
 oZKfqULUejTikaU5HOne7+OB591ybe4tPYlsUSbMPf/1xHUt30jDEhFCTDHzf9f4jtN3
 9dW0A0HpeVPBMoNFI0Wlcw8wG4jGaglIE8tPLuiVwtr+5+xU0ELVJTmlVGNqtOdSfuLV
 bGJw==
X-Gm-Message-State: AOAM533w6lrEzlRMpOnOxhyQJHv3lTAHI0m7NuOucmCSFG4F/q1NqxhY
 a8yyjXq6pzwcWWcxtj9vNUd7iP49THV7XQ==
X-Google-Smtp-Source: ABdhPJzGFIVd3CFDa4KvOKdnTVIQW1figYIepIGXAvUwuJjzIvPYzTYFCflT8pfhzCHk3txEU4atDjFoU5Iqyw==
X-Received: by 2002:a0c:b501:: with SMTP id d1mr1263118qve.63.1590105508973; 
 Thu, 21 May 2020 16:58:28 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:30 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-18-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 17/27] l2tp: hold tunnel while processing genl delete command
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
 "David S . Miller" <davem@davemloft.net>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Guillaume Nault <g.nault@alphalink.fr>

commit bb0a32ce4389e17e47e198d2cddaf141561581ad upstream.

l2tp_nl_cmd_tunnel_delete() needs to take a reference on the tunnel, to
prevent it from being concurrently freed by l2tp_tunnel_destruct().

Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 net/l2tp/l2tp_netlink.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index 558327d62167..e0c3a551c9bc 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -280,8 +280,8 @@ static int l2tp_nl_cmd_tunnel_delete(struct sk_buff *skb, struct genl_info *info
 	}
 	tunnel_id = nla_get_u32(info->attrs[L2TP_ATTR_CONN_ID]);
 
-	tunnel = l2tp_tunnel_find(net, tunnel_id);
-	if (tunnel == NULL) {
+	tunnel = l2tp_tunnel_get(net, tunnel_id);
+	if (!tunnel) {
 		ret = -ENODEV;
 		goto out;
 	}
@@ -291,6 +291,8 @@ static int l2tp_nl_cmd_tunnel_delete(struct sk_buff *skb, struct genl_info *info
 
 	l2tp_tunnel_delete(tunnel);
 
+	l2tp_tunnel_dec_refcount(tunnel);
+
 out:
 	return ret;
 }

From patchwork Thu May 21 23:57:32 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225456
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id C2FFDC433DF
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:34 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id A129A206D4
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:34 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="E8qplZDf"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1730064AbgEUX6e (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:58:34 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59632 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1729771AbgEUX6d (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:58:33 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CDD71C061A0E
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:33 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id q16so7231160ybg.18
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=aDiFmLRo09/z5PD1N7r++eFVdCxD35kDs8W9RmQKKf0=;
 b=E8qplZDfUeObyk2CHWzMVS90Lany8A+daeqsDROkrqZ898QLeev6ZqO9N7P1hlPzec
 cVPGNHeGQADi+Y8UpGy9X/T4wVLQ5ajL5HZwB8QF8enUq67Kgbr7iA+mR5CwXXYhfhP7
 LUKxuljeR26ZwpmjPWH9sa/GIRAgLmsn8B2EhSXITM85amMpHNtUKYKUG+mfcZvywI6I
 dVRFYQslYbz6vvXD5yF+DclTJS7NsIb/ZrvFiOGFftuTD3XRQp6p9ZKVGbtucyYUL23t
 adybRaqEffY2/6RN5mzE19TNOXTrUNya0+Sc1JMWis3Cf8VSyU1eRCKGsvmIgJCieQAy
 UUlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=aDiFmLRo09/z5PD1N7r++eFVdCxD35kDs8W9RmQKKf0=;
 b=eJlAorgcsVY/5zwRmbIlGhmHLtk4b+ueNAyLVbeKwOl5dZ+mHFWWpY0woMFR6BUhKl
 P34B+nkTE2b0FUh2UQnxVdcw57bnCu/5fCy//63gHzLw6FEgSiF+C57p8KCLP05qCYtO
 /akxxf0P6+X4eBPQ3Usn1Mc7LBowPRC6ZbN+YfiJjIDT8Kvo2AAE5/CtkzB+2WYcDjIP
 EipVqtQoo3qZHhi8c/k8rWGGmgBGJfQe8eOfGyCFQUBghOwmjfaamrdci8pB+2G+g8Qf
 YxlmEaqwv5iUJeewp5cilqaZ1B0P8iK26uwK8UPiOk/4kW7Zx7YG+e9F+wiO9/iebv9N
 Ni5g==
X-Gm-Message-State: AOAM533O4vhtiTVz76LrrrwHR2RNQvK6wrnb+9rLfmRNdRdjgL9axRNc
 9v0M2MNConJMAcwX10GhSE04p7AfxkLhCw==
X-Google-Smtp-Source: ABdhPJzhO8dkNhzNqU0ocB7UK5/LEoUehwZ3KPtj+2uGb10Urxhqy0DaH0Xk/z8skMdDT+qxqiEcTlB0RjO0Sw==
X-Received: by 2002:a5b:185:: with SMTP id r5mr15615275ybl.39.1590105513066; 
 Thu, 21 May 2020 16:58:33 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:32 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-20-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 19/27] l2tp: hold tunnel while handling genl TUNNEL_GET
 commands
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
 "David S . Miller" <davem@davemloft.net>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Guillaume Nault <g.nault@alphalink.fr>

commit 4e4b21da3acc68a7ea55f850cacc13706b7480e9 upstream.

Use l2tp_tunnel_get() instead of l2tp_tunnel_find() so that we get
a reference on the tunnel, preventing l2tp_tunnel_destruct() from
freeing it from under us.

Also move l2tp_tunnel_get() below nlmsg_new() so that we only take
the reference when needed.

Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 net/l2tp/l2tp_netlink.c | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index 71784e7542cf..b86a2caa9356 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -428,34 +428,37 @@ static int l2tp_nl_cmd_tunnel_get(struct sk_buff *skb, struct genl_info *info)
 
 	if (!info->attrs[L2TP_ATTR_CONN_ID]) {
 		ret = -EINVAL;
-		goto out;
+		goto err;
 	}
 
 	tunnel_id = nla_get_u32(info->attrs[L2TP_ATTR_CONN_ID]);
 
-	tunnel = l2tp_tunnel_find(net, tunnel_id);
-	if (tunnel == NULL) {
-		ret = -ENODEV;
-		goto out;
-	}
-
 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
 	if (!msg) {
 		ret = -ENOMEM;
-		goto out;
+		goto err;
+	}
+
+	tunnel = l2tp_tunnel_get(net, tunnel_id);
+	if (!tunnel) {
+		ret = -ENODEV;
+		goto err_nlmsg;
 	}
 
 	ret = l2tp_nl_tunnel_send(msg, info->snd_portid, info->snd_seq,
 				  NLM_F_ACK, tunnel, L2TP_CMD_TUNNEL_GET);
 	if (ret < 0)
-		goto err_out;
+		goto err_nlmsg_tunnel;
+
+	l2tp_tunnel_dec_refcount(tunnel);
 
 	return genlmsg_unicast(net, msg, info->snd_portid);
 
-err_out:
+err_nlmsg_tunnel:
+	l2tp_tunnel_dec_refcount(tunnel);
+err_nlmsg:
 	nlmsg_free(msg);
-
-out:
+err:
 	return ret;
 }
 

From patchwork Thu May 21 23:57:35 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225455
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id A9DB1C433E0
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:42 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 77B67206D4
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:42 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="hDKsM/np"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1730195AbgEUX6m (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:58:42 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59658 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1730180AbgEUX6k (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:58:40 -0400
Received: from mail-qv1-xf49.google.com (mail-qv1-xf49.google.com
 [IPv6:2607:f8b0:4864:20::f49])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5E876C05BD43
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:40 -0700 (PDT)
Received: by mail-qv1-xf49.google.com with SMTP id h15so8936050qvk.0
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=QDgtCb9a9owBuS0HO+mapYsH9adPvP1qbcIoo2x/Qxc=;
 b=hDKsM/npM5omY06NFCEdrfB42eaVDrnIgeFip1NSc6sifvQQSgvkzjJRZ/t199mk7V
 igiesAAPiQtUhu5V4tq/AtIkZsfBacGG4dBma55pWJHGzM0XBdEoJRSRiNst6HI9bsTy
 jE+c866QEompHmB8mTtJO4hHzXlz44M8LXrkKgoJ9ROhvt0xMDyVZwbvK+2jIakTtyfz
 1403C5jtNlZz2b9aT47nx8SvNqQ1l7d1ddXV06gUDQxE56mDIkYdmlfLMZhbjrVJLrfL
 R1sOj90ou1u/Nj4piFjY3y1rcftmruE0By9Mx3kv1Ws/5IY5mrvtg9Jwg19RMDA2Onkv
 9q3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=QDgtCb9a9owBuS0HO+mapYsH9adPvP1qbcIoo2x/Qxc=;
 b=XiiFlYIrrRdHtdXvToqCqe85Ca8PyM5tku9S0iInY6IWL5WBlqW3BonvWktrAHApCL
 OgLDnpfDO/wSxO0d0F+6c5uOVnC2jDgfYQS813gMwIN2XWmsSbiem7BXLu1nAqLW9ulI
 rmkNOlVlICzy3DlZOSFUmphFI8anJ5vyH6eF/shBYDo0laKkcztgkpeNV1052Q4mJTXQ
 1Yqr9LT/P9m9juJO61VToBp38lSpUE0LfkuWTEMBZuxvI95sQlPyrRdYWdoDwTQ1HPvr
 l5B9yiINVzAZnixMpmEhog5RgSQvIfK4EnCPm3nFxw5SgkdbGeCtPRwwcdq/Vm9xx3go
 I1fQ==
X-Gm-Message-State: AOAM532tl+J31ZqFclId+x9nGVjLK02ZdfSed9JoxPb7iej3+YCg4zbC
 e55k2BKSoh1yamFfvBTAgIChcFxKWbL+kA==
X-Google-Smtp-Source: ABdhPJzu9vWuN0FWxLaXyZUqd6RZ+iBskM/IQM9QsxVjkzdoYDkcdqdD5VBk0wPCu4Nqvd1V7sRL1QkAbfS3bA==
X-Received: by 2002:a0c:b258:: with SMTP id k24mr1265920qve.198.1590105519580; 
 Thu, 21 May 2020 16:58:39 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:35 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-23-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 22/27] l2tp: pass tunnel pointer to ->session_create()
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
 "David S . Miller" <davem@davemloft.net>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Guillaume Nault <g.nault@alphalink.fr>

commit f026bc29a8e093edfbb2a77700454b285c97e8ad upstream.

Using l2tp_tunnel_find() in pppol2tp_session_create() and
l2tp_eth_create() is racy, because no reference is held on the
returned session. These functions are only used to implement the
->session_create callback which is run by l2tp_nl_cmd_session_create().
Therefore searching for the parent tunnel isn't necessary because
l2tp_nl_cmd_session_create() already has a pointer to it and holds a
reference.

This patch modifies ->session_create()'s prototype to directly pass the
the parent tunnel as parameter, thus avoiding searching for it in
pppol2tp_session_create() and l2tp_eth_create().

Since we have to touch the ->session_create() call in
l2tp_nl_cmd_session_create(), let's also remove the useless conditional:
we know that ->session_create isn't NULL at this point because it's
already been checked earlier in this same function.

Finally, one might be tempted to think that the removed
l2tp_tunnel_find() calls were harmless because they would return the
same tunnel as the one held by l2tp_nl_cmd_session_create() anyway.
But that tunnel might be removed and a new one created with same tunnel
Id before the l2tp_tunnel_find() call. In this case l2tp_tunnel_find()
would return the new tunnel which wouldn't be protected by the
reference held by l2tp_nl_cmd_session_create().

Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 net/l2tp/l2tp_core.h    |  4 +++-
 net/l2tp/l2tp_eth.c     | 11 +++--------
 net/l2tp/l2tp_netlink.c |  8 ++++----
 net/l2tp/l2tp_ppp.c     | 19 +++++++------------
 4 files changed, 17 insertions(+), 25 deletions(-)

diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index 8a5d51cff2f3..09cd58f03d89 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -204,7 +204,9 @@ struct l2tp_tunnel {
 };
 
 struct l2tp_nl_cmd_ops {
-	int (*session_create)(struct net *net, u32 tunnel_id, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg);
+	int (*session_create)(struct net *net, struct l2tp_tunnel *tunnel,
+			      u32 session_id, u32 peer_session_id,
+			      struct l2tp_session_cfg *cfg);
 	int (*session_delete)(struct l2tp_session *session);
 };
 
diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
index cef312da3422..c785308f630b 100644
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -256,23 +256,18 @@ static void l2tp_eth_adjust_mtu(struct l2tp_tunnel *tunnel,
 	dev->needed_headroom += session->hdr_len;
 }
 
-static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
+static int l2tp_eth_create(struct net *net, struct l2tp_tunnel *tunnel,
+			   u32 session_id, u32 peer_session_id,
+			   struct l2tp_session_cfg *cfg)
 {
 	struct net_device *dev;
 	char name[IFNAMSIZ];
-	struct l2tp_tunnel *tunnel;
 	struct l2tp_session *session;
 	struct l2tp_eth *priv;
 	struct l2tp_eth_sess *spriv;
 	int rc;
 	struct l2tp_eth_net *pn;
 
-	tunnel = l2tp_tunnel_find(net, tunnel_id);
-	if (!tunnel) {
-		rc = -ENODEV;
-		goto out;
-	}
-
 	if (cfg->ifname) {
 		dev = dev_get_by_name(net, cfg->ifname);
 		if (dev) {
diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index 22917e751edf..d3a84a181348 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -627,10 +627,10 @@ static int l2tp_nl_cmd_session_create(struct sk_buff *skb, struct genl_info *inf
 		break;
 	}
 
-	ret = -EPROTONOSUPPORT;
-	if (l2tp_nl_cmd_ops[cfg.pw_type]->session_create)
-		ret = (*l2tp_nl_cmd_ops[cfg.pw_type]->session_create)(net, tunnel_id,
-			session_id, peer_session_id, &cfg);
+	ret = l2tp_nl_cmd_ops[cfg.pw_type]->session_create(net, tunnel,
+							   session_id,
+							   peer_session_id,
+							   &cfg);
 
 	if (ret >= 0) {
 		session = l2tp_session_get(net, tunnel, session_id, false);
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 5738456b3b58..377ef5f0f39a 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -810,25 +810,20 @@ end:
 
 #ifdef CONFIG_L2TP_V3
 
-/* Called when creating sessions via the netlink interface.
- */
-static int pppol2tp_session_create(struct net *net, u32 tunnel_id, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
+/* Called when creating sessions via the netlink interface. */
+static int pppol2tp_session_create(struct net *net, struct l2tp_tunnel *tunnel,
+				   u32 session_id, u32 peer_session_id,
+				   struct l2tp_session_cfg *cfg)
 {
 	int error;
-	struct l2tp_tunnel *tunnel;
 	struct l2tp_session *session;
 	struct pppol2tp_session *ps;
 
-	tunnel = l2tp_tunnel_find(net, tunnel_id);
-
-	/* Error if we can't find the tunnel */
-	error = -ENOENT;
-	if (tunnel == NULL)
-		goto out;
-
 	/* Error if tunnel socket is not prepped */
-	if (tunnel->sock == NULL)
+	if (!tunnel->sock) {
+		error = -ENOENT;
 		goto out;
+	}
 
 	/* Default MTU values. */
 	if (cfg->mtu == 0)

From patchwork Thu May 21 23:57:36 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225454
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 74634C433E2
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:43 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 502AD206D4
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:43 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="GiAFc2oM"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1730198AbgEUX6m (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:58:42 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59666 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1728537AbgEUX6m (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:58:42 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 79DB5C061A0E
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:42 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id z5so2857073ybg.11
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=dccCgo5ByLuHxM+i+BDrTROh9f/WX96/1AByl/fYA8Q=;
 b=GiAFc2oM0OdsFGhEcYBZGwFn5rmynZUTXkTuvautLRqAlwOdkKEgfjvlE5ZShMjjk9
 B+6/qk3BmkLwmmKTP28wqXhkOlvOvdFdCLHgS5f2iwq352jn3R0GOVxlABmlu7msBua6
 CgiwpeWajFZoQPb8Z5WF+9qjPUiNL89SvGxlOFZU87tFAZ8ZivdViRbVC+op9qyhprJQ
 qBIyBDc10j/qJ/wsZW11QZTzrZJ8HYhperlInezG9KEMbe/3WO3aVlBgWuri80nfM0Zs
 OIf+8jOuuKVHAAc6nDs1s3hSSRaHRyOHZ6tT9kABU6qobGW/VjmL+E6mb1s5FOiSLnFw
 DokQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=dccCgo5ByLuHxM+i+BDrTROh9f/WX96/1AByl/fYA8Q=;
 b=D36xpcNOmyvmlWZSDX1WjLD4MkG1OMIhEybLYCFI93EzWfZNAvz1KFO1RCMfi97DXL
 qi2zRGOakuBa2oeMsJytuVvVHISrae+XEHOQAelWwUwQZibZV4C8FiasWDEOdhfm62sF
 I4NLmnF7u1Hs+NnFAZjxTHIYbtp71Mcy4ngcsRgU1glfX4qY1uR+9YLFhALuY0On4Cx7
 mlopczFL02YpiGR4jfGnUdoCEx/jQOGZmEso1pysfXvm0gOpt5U9frXf216iXNM/0Jtw
 LgRGZwkiTEavgvd01F2eshVgt0MIz9/ZlWzsRlSskLXu9gbg7hGWy1J/ihYb+zAhtguP
 T5kw==
X-Gm-Message-State: AOAM530FSAWdyZGUZTCjBs9896XgkN4aU54Z0tZg06dSgbUlH7x8XbuD
 udj65Sk+dAt3WLETl2eFWTo9WmEO2Jx8NA==
X-Google-Smtp-Source: ABdhPJyQCr4SaPjVI5rv7iztfBSqjpJ6wz+/b9qniRcaEBwq78LjSUWFuhF1oktVDtdl5anlSt+i9/BJUI0aGQ==
X-Received: by 2002:a25:bb03:: with SMTP id z3mr18846119ybg.6.1590105521697; 
 Thu, 21 May 2020 16:58:41 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:36 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-24-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 23/27] l2tp: fix l2tp_eth module loading
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
 "David S . Miller" <davem@davemloft.net>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Guillaume Nault <g.nault@alphalink.fr>

commit 9f775ead5e570e7e19015b9e4e2f3dd6e71a5935 upstream.

The l2tp_eth module crashes if its netlink callbacks are run when the
pernet data aren't initialised.

We should normally register_pernet_device() before the genl callbacks.
However, the pernet data only maintain a list of l2tpeth interfaces,
and this list is never used. So let's just drop pernet handling
instead.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 net/l2tp/l2tp_eth.c | 51 ++-------------------------------------------
 1 file changed, 2 insertions(+), 49 deletions(-)

diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
index c785308f630b..ab6d2152eafb 100644
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -44,7 +44,6 @@ struct l2tp_eth {
 	struct net_device	*dev;
 	struct sock		*tunnel_sock;
 	struct l2tp_session	*session;
-	struct list_head	list;
 	atomic_long_t		tx_bytes;
 	atomic_long_t		tx_packets;
 	atomic_long_t		tx_dropped;
@@ -58,17 +57,6 @@ struct l2tp_eth_sess {
 	struct net_device	*dev;
 };
 
-/* per-net private data for this module */
-static unsigned int l2tp_eth_net_id;
-struct l2tp_eth_net {
-	struct list_head l2tp_eth_dev_list;
-	spinlock_t l2tp_eth_lock;
-};
-
-static inline struct l2tp_eth_net *l2tp_eth_pernet(struct net *net)
-{
-	return net_generic(net, l2tp_eth_net_id);
-}
 
 static struct lock_class_key l2tp_eth_tx_busylock;
 static int l2tp_eth_dev_init(struct net_device *dev)
@@ -84,12 +72,6 @@ static int l2tp_eth_dev_init(struct net_device *dev)
 
 static void l2tp_eth_dev_uninit(struct net_device *dev)
 {
-	struct l2tp_eth *priv = netdev_priv(dev);
-	struct l2tp_eth_net *pn = l2tp_eth_pernet(dev_net(dev));
-
-	spin_lock(&pn->l2tp_eth_lock);
-	list_del_init(&priv->list);
-	spin_unlock(&pn->l2tp_eth_lock);
 	dev_put(dev);
 }
 
@@ -266,7 +248,6 @@ static int l2tp_eth_create(struct net *net, struct l2tp_tunnel *tunnel,
 	struct l2tp_eth *priv;
 	struct l2tp_eth_sess *spriv;
 	int rc;
-	struct l2tp_eth_net *pn;
 
 	if (cfg->ifname) {
 		dev = dev_get_by_name(net, cfg->ifname);
@@ -299,7 +280,6 @@ static int l2tp_eth_create(struct net *net, struct l2tp_tunnel *tunnel,
 	priv = netdev_priv(dev);
 	priv->dev = dev;
 	priv->session = session;
-	INIT_LIST_HEAD(&priv->list);
 
 	priv->tunnel_sock = tunnel->sock;
 	session->recv_skb = l2tp_eth_dev_recv;
@@ -320,10 +300,6 @@ static int l2tp_eth_create(struct net *net, struct l2tp_tunnel *tunnel,
 	strlcpy(session->ifname, dev->name, IFNAMSIZ);
 
 	dev_hold(dev);
-	pn = l2tp_eth_pernet(dev_net(dev));
-	spin_lock(&pn->l2tp_eth_lock);
-	list_add(&priv->list, &pn->l2tp_eth_dev_list);
-	spin_unlock(&pn->l2tp_eth_lock);
 
 	return 0;
 
@@ -336,22 +312,6 @@ out:
 	return rc;
 }
 
-static __net_init int l2tp_eth_init_net(struct net *net)
-{
-	struct l2tp_eth_net *pn = net_generic(net, l2tp_eth_net_id);
-
-	INIT_LIST_HEAD(&pn->l2tp_eth_dev_list);
-	spin_lock_init(&pn->l2tp_eth_lock);
-
-	return 0;
-}
-
-static struct pernet_operations l2tp_eth_net_ops = {
-	.init = l2tp_eth_init_net,
-	.id   = &l2tp_eth_net_id,
-	.size = sizeof(struct l2tp_eth_net),
-};
-
 
 static const struct l2tp_nl_cmd_ops l2tp_eth_nl_cmd_ops = {
 	.session_create	= l2tp_eth_create,
@@ -365,25 +325,18 @@ static int __init l2tp_eth_init(void)
 
 	err = l2tp_nl_register_ops(L2TP_PWTYPE_ETH, &l2tp_eth_nl_cmd_ops);
 	if (err)
-		goto out;
-
-	err = register_pernet_device(&l2tp_eth_net_ops);
-	if (err)
-		goto out_unreg;
+		goto err;
 
 	pr_info("L2TP ethernet pseudowire support (L2TPv3)\n");
 
 	return 0;
 
-out_unreg:
-	l2tp_nl_unregister_ops(L2TP_PWTYPE_ETH);
-out:
+err:
 	return err;
 }
 
 static void __exit l2tp_eth_exit(void)
 {
-	unregister_pernet_device(&l2tp_eth_net_ops);
 	l2tp_nl_unregister_ops(L2TP_PWTYPE_ETH);
 }
 

From patchwork Thu May 21 23:57:38 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225453
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 4630EC433E1
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:49 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 11B46206D4
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:49 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="ny24mXoz"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1730218AbgEUX6s (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:58:48 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59682 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1728537AbgEUX6s (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:58:48 -0400
Received: from mail-qv1-xf49.google.com (mail-qv1-xf49.google.com
 [IPv6:2607:f8b0:4864:20::f49])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A8016C061A0E
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:46 -0700 (PDT)
Received: by mail-qv1-xf49.google.com with SMTP id i6so8896822qvq.17
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=QQblDEajdwntKpXYKbUOw/AuvjrP59iBpgPIfqtBaPY=;
 b=ny24mXozJYsYfULMG4oPZJ26I5riLUkcmpwYZNgKuowosgjfEeu6ogKJ/dW4iB1+RR
 ggnEi9ELh7m2sGhpOMAUwFgva+8gJA0uUjXlh1VHg2Xg+jW6PogUTLvWLaddo0+Ogohx
 Cy5y8EucpSXQTLKXDnNjzyDEYBkoKW69ifWiIufecU+yTGct2H79kprYb2oFdV+PBbIA
 o4AjE4yqy67ZJA6E/RXTWFd0J8eWfRVqnBaicL+upmvkSgujNKF2H1BLng+fzy3E0enT
 lAeDdL7qg7COF4RxPL+kYV3Kb51FTKJ1qM8q+8wDsjbpqkpm7mKub641TtvUCeKqwJGa
 3PKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=QQblDEajdwntKpXYKbUOw/AuvjrP59iBpgPIfqtBaPY=;
 b=KIJf2iWSRXi0Gu7t9oHx5xlI47YHLAKq4aE29RhGMH/GsxUAITTuvyTkS1YppOknuw
 WFHOxXNTJXWxfoklMj1FXr094WAktrOKryilJpzFCQjusCRWnPgJRtMnPekoy9mrgDX3
 KWExdJnC0WFB6xcipifZOdbKitbPIo29TGyiZ9mGQdQOM3LR2ZhPsaOKeXqDQCFh3GMR
 ZLJpUTFqoaXWpSAMgU8TYiXKoMlQ40pzyimLvxkAD5RTsnE6fkyXYzBtxYVBOlxeH5Bp
 64CfudPyrgh8CJQgsdEU4Q12mi7uQpK5iHZHLPrix0ix9bCZ4AwEd6+DOeORwMYecwwD
 1Dtw==
X-Gm-Message-State: AOAM533X+S3apqnRok45S5rxm5wFHkR8RPDWfwRCYJk4f7E9eWv58tHk
 0wYYY7Y/6kFOBIPRaZwM4D1boU/YxdZq5w==
X-Google-Smtp-Source: ABdhPJwQseJnRC+41KnJouDIgh6Kt2xEbUFOFx7kX8VptW+SKFRYUddyHVnjHZXMLRN+Mk6Mx5ozQtWrFsUCLA==
X-Received: by 2002:ad4:40ca:: with SMTP id x10mr1269166qvp.220.1590105525849; 
 Thu, 21 May 2020 16:58:45 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:38 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-26-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 25/27] l2tp: initialise l2tp_eth sessions before registering
 them
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
 "David S . Miller" <davem@davemloft.net>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Guillaume Nault <g.nault@alphalink.fr>

commit ee28de6bbd78c2e18111a0aef43ea746f28d2073 upstream.

Sessions must be initialised before being made externally visible by
l2tp_session_register(). Otherwise the session may be concurrently
deleted before being initialised, which can confuse the deletion path
and eventually lead to kernel oops.

Therefore, we need to move l2tp_session_register() down in
l2tp_eth_create(), but also handle the intermediate step where only the
session or the netdevice has been registered.

We can't just call l2tp_session_register() in ->ndo_init() because
we'd have no way to properly undo this operation in ->ndo_uninit().
Instead, let's register the session and the netdevice in two different
steps and protect the session's device pointer with RCU.

And now that we allow the session's .dev field to be NULL, we don't
need to prevent the netdevice from being removed anymore. So we can
drop the dev_hold() and dev_put() calls in l2tp_eth_create() and
l2tp_eth_dev_uninit().

Backporting Notes

l2tp_eth.c: In l2tp_eth_create the "out" label was renamed to "err".
There was one extra occurrence of "goto out" to update.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 net/l2tp/l2tp_eth.c | 108 +++++++++++++++++++++++++++++++-------------
 1 file changed, 76 insertions(+), 32 deletions(-)

diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
index 750662de735e..facc180d1635 100644
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -54,7 +54,7 @@ struct l2tp_eth {
 
 /* via l2tp_session_priv() */
 struct l2tp_eth_sess {
-	struct net_device	*dev;
+	struct net_device __rcu *dev;
 };
 
 
@@ -72,7 +72,14 @@ static int l2tp_eth_dev_init(struct net_device *dev)
 
 static void l2tp_eth_dev_uninit(struct net_device *dev)
 {
-	dev_put(dev);
+	struct l2tp_eth *priv = netdev_priv(dev);
+	struct l2tp_eth_sess *spriv;
+
+	spriv = l2tp_session_priv(priv->session);
+	RCU_INIT_POINTER(spriv->dev, NULL);
+	/* No need for synchronize_net() here. We're called by
+	 * unregister_netdev*(), which does the synchronisation for us.
+	 */
 }
 
 static int l2tp_eth_dev_xmit(struct sk_buff *skb, struct net_device *dev)
@@ -126,8 +133,8 @@ static void l2tp_eth_dev_setup(struct net_device *dev)
 static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb, int data_len)
 {
 	struct l2tp_eth_sess *spriv = l2tp_session_priv(session);
-	struct net_device *dev = spriv->dev;
-	struct l2tp_eth *priv = netdev_priv(dev);
+	struct net_device *dev;
+	struct l2tp_eth *priv;
 
 	if (session->debug & L2TP_MSG_DATA) {
 		unsigned int length;
@@ -151,16 +158,25 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
 	skb_dst_drop(skb);
 	nf_reset(skb);
 
+	rcu_read_lock();
+	dev = rcu_dereference(spriv->dev);
+	if (!dev)
+		goto error_rcu;
+
+	priv = netdev_priv(dev);
 	if (dev_forward_skb(dev, skb) == NET_RX_SUCCESS) {
 		atomic_long_inc(&priv->rx_packets);
 		atomic_long_add(data_len, &priv->rx_bytes);
 	} else {
 		atomic_long_inc(&priv->rx_errors);
 	}
+	rcu_read_unlock();
+
 	return;
 
+error_rcu:
+	rcu_read_unlock();
 error:
-	atomic_long_inc(&priv->rx_errors);
 	kfree_skb(skb);
 }
 
@@ -171,11 +187,15 @@ static void l2tp_eth_delete(struct l2tp_session *session)
 
 	if (session) {
 		spriv = l2tp_session_priv(session);
-		dev = spriv->dev;
+
+		rtnl_lock();
+		dev = rtnl_dereference(spriv->dev);
 		if (dev) {
-			unregister_netdev(dev);
-			spriv->dev = NULL;
+			unregister_netdevice(dev);
+			rtnl_unlock();
 			module_put(THIS_MODULE);
+		} else {
+			rtnl_unlock();
 		}
 	}
 }
@@ -185,9 +205,20 @@ static void l2tp_eth_show(struct seq_file *m, void *arg)
 {
 	struct l2tp_session *session = arg;
 	struct l2tp_eth_sess *spriv = l2tp_session_priv(session);
-	struct net_device *dev = spriv->dev;
+	struct net_device *dev;
+
+	rcu_read_lock();
+	dev = rcu_dereference(spriv->dev);
+	if (!dev) {
+		rcu_read_unlock();
+		return;
+	}
+	dev_hold(dev);
+	rcu_read_unlock();
 
 	seq_printf(m, "   interface %s\n", dev->name);
+
+	dev_put(dev);
 }
 #endif
 
@@ -254,7 +285,7 @@ static int l2tp_eth_create(struct net *net, struct l2tp_tunnel *tunnel,
 		if (dev) {
 			dev_put(dev);
 			rc = -EEXIST;
-			goto out;
+			goto err;
 		}
 		strlcpy(name, cfg->ifname, IFNAMSIZ);
 	} else
@@ -264,21 +295,14 @@ static int l2tp_eth_create(struct net *net, struct l2tp_tunnel *tunnel,
 				      peer_session_id, cfg);
 	if (IS_ERR(session)) {
 		rc = PTR_ERR(session);
-		goto out;
-	}
-
-	l2tp_session_inc_refcount(session);
-	rc = l2tp_session_register(session, tunnel);
-	if (rc < 0) {
-		kfree(session);
-		goto out;
+		goto err;
 	}
 
 	dev = alloc_netdev(sizeof(*priv), name, NET_NAME_UNKNOWN,
 			   l2tp_eth_dev_setup);
 	if (!dev) {
 		rc = -ENOMEM;
-		goto out_del_session;
+		goto err_sess;
 	}
 
 	dev_net_set(dev, net);
@@ -296,28 +320,48 @@ static int l2tp_eth_create(struct net *net, struct l2tp_tunnel *tunnel,
 #endif
 
 	spriv = l2tp_session_priv(session);
-	spriv->dev = dev;
 
-	rc = register_netdev(dev);
-	if (rc < 0)
-		goto out_del_dev;
+	l2tp_session_inc_refcount(session);
+
+	rtnl_lock();
+
+	/* Register both device and session while holding the rtnl lock. This
+	 * ensures that l2tp_eth_delete() will see that there's a device to
+	 * unregister, even if it happened to run before we assign spriv->dev.
+	 */
+	rc = l2tp_session_register(session, tunnel);
+	if (rc < 0) {
+		rtnl_unlock();
+		goto err_sess_dev;
+	}
+
+	rc = register_netdevice(dev);
+	if (rc < 0) {
+		rtnl_unlock();
+		l2tp_session_delete(session);
+		l2tp_session_dec_refcount(session);
+		free_netdev(dev);
+
+		return rc;
+	}
 
-	__module_get(THIS_MODULE);
-	/* Must be done after register_netdev() */
 	strlcpy(session->ifname, dev->name, IFNAMSIZ);
+	rcu_assign_pointer(spriv->dev, dev);
+
+	rtnl_unlock();
+
 	l2tp_session_dec_refcount(session);
 
-	dev_hold(dev);
+	__module_get(THIS_MODULE);
 
 	return 0;
 
-out_del_dev:
-	free_netdev(dev);
-	spriv->dev = NULL;
-out_del_session:
-	l2tp_session_delete(session);
+err_sess_dev:
 	l2tp_session_dec_refcount(session);
-out:
+	free_netdev(dev);
+err_sess:
+	kfree(session);
+err:
 	return rc;
 }
 

From patchwork Thu May 21 23:57:40 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giuliano Procida <gprocida@google.com>
X-Patchwork-Id: 225452
Return-Path: <SRS0=V3Tr=7D=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED, DKIM_SIGNED, 
 DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, 
 MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS,
 URIBL_BLOCKED, 
 USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 22565C433E1
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:53 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id ED2DD2078B
 for <stable@archiver.kernel.org>;
 Thu, 21 May 2020 23:58:52 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="KY4gYaip"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1730221AbgEUX6w (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 May 2020 19:58:52 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59696 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1730220AbgEUX6w (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 May 2020 19:58:52 -0400
Received: from mail-qv1-xf49.google.com (mail-qv1-xf49.google.com
 [IPv6:2607:f8b0:4864:20::f49])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0825FC061A0E
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:51 -0700 (PDT)
Received: by mail-qv1-xf49.google.com with SMTP id z1so8871786qvd.23
 for <stable@vger.kernel.org>; Thu, 21 May 2020 16:58:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=ugzLe892SXPoBO8tP7FQU1e9aRzgn6EOtLNzYEx/YZc=;
 b=KY4gYaipWN7W9zab1qEBG7sdp8ypwsYusxNSIhiQD6h7MFEf6ycipgyJSnHQ6CQUK5
 246sU5+X1azWZRzkGqG8xE91ssyQc3ppyvwZYfDLviRZmj+OsdbAKWGNwNKG4AyRHqNB
 paDVKfmDNUASJw0TCuqgI374vD2Vonxuqm0t94kgwF3H//1qugTzdN2PsrsvpOJcji4x
 1SNgvWH0KMQIz/j55oFx0HV65LUkKght7AzuUxYdcMvfXZGULso4X9ha6PdovMsQXCAs
 IikIWW/8XP1oR1TcgejA6SGLEB9hpn64Y/GjV8H2bPKCMtfhhXXub1FpYaNz6P9Yk3RC
 5P7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=ugzLe892SXPoBO8tP7FQU1e9aRzgn6EOtLNzYEx/YZc=;
 b=HBFwjG/qYkYOBA7gH7cstVoO3UzjqmSQ4E9MDsOzyIfsm6Zstp0nPOHeqHmETwS+7E
 zFjNCl94LdgF+PSV1qSi7LegixX9BofkieoyC+u/gaawl4kP0+pdYOsxrp8zCVgVOGu0
 CqOa7AIwRjoEIChAMdtyukiThk+3YuDeLmbQ0STqw5MOLnpKefKJNse+7oyV940IkNPf
 sQsE2/SNxPnsj3sZm8uOsO4HT7jLbmoGexyrQSGFGJkFeP7TBCS76YudOUmvFfGbraVY
 dVtZWM7m91A3Za5B8qqFlZVj/9FVacGYX5SYK8pzGXM/3SZ0kqWNShGJgLtHgedSmfxl
 6G/w==
X-Gm-Message-State: AOAM530tdGsx4+DlBHhunc5pwkhJQn9otZJsUbnViE7TaYCnls6MWwVp
 re9VJ/EDMnv77FRnWdrQjo3Q8Hhlckn7sQ==
X-Google-Smtp-Source: ABdhPJxC6s9APXuE4hS/YEN8UG7oF4GLfJ1pJPX2yY1EpVe1qbWCjtZFDeU/cGpYFklbgM0vCkb905x2shPQiw==
X-Received: by 2002:a0c:8c4f:: with SMTP id o15mr1221790qvb.201.1590105530217; 
 Thu, 21 May 2020 16:58:50 -0700 (PDT)
Date: Fri, 22 May 2020 00:57:40 +0100
In-Reply-To: <20200521235740.191338-1-gprocida@google.com>
Message-Id: <20200521235740.191338-28-gprocida@google.com>
Mime-Version: 1.0
References: <20200521235740.191338-1-gprocida@google.com>
X-Mailer: git-send-email 2.27.0.rc0.183.gde8f92d652-goog
Subject: [PATCH 27/27] l2tp: initialise PPP sessions before registering them
From: Giuliano Procida <gprocida@google.com>
To: greg@kroah.com
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
 "David S . Miller" <davem@davemloft.net>,
 Giuliano Procida <gprocida@google.com>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Guillaume Nault <g.nault@alphalink.fr>

commit f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c upstream.

pppol2tp_connect() initialises L2TP sessions after they've been exposed
to the rest of the system by l2tp_session_register(). This puts
sessions into transient states that are the source of several races, in
particular with session's deletion path.

This patch centralises the initialisation code into
pppol2tp_session_init(), which is called before the registration phase.
The only field that can't be set before session registration is the
pppol2tp socket pointer, which has already been converted to RCU. So
pppol2tp_connect() should now be race-free.

The session's .session_close() callback is now set before registration.
Therefore, it's always called when l2tp_core deletes the session, even
if it was created by pppol2tp_session_create() and hasn't been plugged
to a pppol2tp socket yet. That'd prevent session free because the extra
reference taken by pppol2tp_session_close() wouldn't be dropped by the
socket's ->sk_destruct() callback (pppol2tp_session_destruct()).
We could set .session_close() only while connecting a session to its
pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a
reference when the session isn't connected, but that'd require adding
some form of synchronisation to be race free.

Instead of that, we can just let the pppol2tp socket hold a reference
on the session as soon as it starts depending on it (that is, in
pppol2tp_connect()). Then we don't need to utilise
pppol2tp_session_close() to hold a reference at the last moment to
prevent l2tp_core from dropping it.

When releasing the socket, pppol2tp_release() now deletes the session
using the standard l2tp_session_delete() function, instead of merely
removing it from hash tables. l2tp_session_delete() drops the reference
the sessions holds on itself, but also makes sure it doesn't remove a
session twice. So it can safely be called, even if l2tp_core already
tried, or is concurrently trying, to remove the session.
Finally, pppol2tp_session_destruct() drops the reference held by the
socket.

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 net/l2tp/l2tp_ppp.c | 69 +++++++++++++++++++++++++--------------------
 1 file changed, 38 insertions(+), 31 deletions(-)

diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 4ba4546051ed..8ff5352bb0e3 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -464,9 +464,6 @@ static void pppol2tp_session_close(struct l2tp_session *session)
 			inet_shutdown(sk->sk_socket, SEND_SHUTDOWN);
 		sock_put(sk);
 	}
-
-	/* Don't let the session go away before our socket does */
-	l2tp_session_inc_refcount(session);
 }
 
 /* Really kill the session socket. (Called from sock_put() if
@@ -522,8 +519,7 @@ static int pppol2tp_release(struct socket *sock)
 	if (session != NULL) {
 		struct pppol2tp_session *ps;
 
-		__l2tp_session_unhash(session);
-		l2tp_session_queue_purge(session);
+		l2tp_session_delete(session);
 
 		ps = l2tp_session_priv(session);
 		mutex_lock(&ps->sk_lock);
@@ -615,6 +611,35 @@ static void pppol2tp_show(struct seq_file *m, void *arg)
 }
 #endif
 
+static void pppol2tp_session_init(struct l2tp_session *session)
+{
+	struct pppol2tp_session *ps;
+	struct dst_entry *dst;
+
+	session->recv_skb = pppol2tp_recv;
+	session->session_close = pppol2tp_session_close;
+#if defined(CONFIG_L2TP_DEBUGFS) || defined(CONFIG_L2TP_DEBUGFS_MODULE)
+	session->show = pppol2tp_show;
+#endif
+
+	ps = l2tp_session_priv(session);
+	mutex_init(&ps->sk_lock);
+	ps->tunnel_sock = session->tunnel->sock;
+	ps->owner = current->pid;
+
+	/* If PMTU discovery was enabled, use the MTU that was discovered */
+	dst = sk_dst_get(session->tunnel->sock);
+	if (dst) {
+		u32 pmtu = dst_mtu(dst);
+
+		if (pmtu) {
+			session->mtu = pmtu - PPPOL2TP_HEADER_OVERHEAD;
+			session->mru = pmtu - PPPOL2TP_HEADER_OVERHEAD;
+		}
+		dst_release(dst);
+	}
+}
+
 /* connect() handler. Attach a PPPoX socket to a tunnel UDP socket
  */
 static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
@@ -626,7 +651,6 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
 	struct l2tp_session *session = NULL;
 	struct l2tp_tunnel *tunnel;
 	struct pppol2tp_session *ps;
-	struct dst_entry *dst;
 	struct l2tp_session_cfg cfg = { 0, };
 	int error = 0;
 	u32 tunnel_id, peer_tunnel_id;
@@ -775,8 +799,8 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
 			goto end;
 		}
 
+		pppol2tp_session_init(session);
 		ps = l2tp_session_priv(session);
-		mutex_init(&ps->sk_lock);
 		l2tp_session_inc_refcount(session);
 
 		mutex_lock(&ps->sk_lock);
@@ -789,26 +813,6 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
 		drop_refcnt = true;
 	}
 
-	ps->owner	     = current->pid;
-	ps->tunnel_sock = tunnel->sock;
-
-	session->recv_skb	= pppol2tp_recv;
-	session->session_close	= pppol2tp_session_close;
-#if defined(CONFIG_L2TP_DEBUGFS) || defined(CONFIG_L2TP_DEBUGFS_MODULE)
-	session->show		= pppol2tp_show;
-#endif
-
-	/* If PMTU discovery was enabled, use the MTU that was discovered */
-	dst = sk_dst_get(tunnel->sock);
-	if (dst != NULL) {
-		u32 pmtu = dst_mtu(dst);
-
-		if (pmtu != 0)
-			session->mtu = session->mru = pmtu -
-				PPPOL2TP_HEADER_OVERHEAD;
-		dst_release(dst);
-	}
-
 	/* Special case: if source & dest session_id == 0x0000, this
 	 * socket is being created to manage the tunnel. Just set up
 	 * the internal context for use by ioctl() and sockopt()
@@ -842,6 +846,12 @@ out_no_ppp:
 	rcu_assign_pointer(ps->sk, sk);
 	mutex_unlock(&ps->sk_lock);
 
+	/* Keep the reference we've grabbed on the session: sk doesn't expect
+	 * the session to disappear. pppol2tp_session_destruct() is responsible
+	 * for dropping it.
+	 */
+	drop_refcnt = false;
+
 	sk->sk_state = PPPOX_CONNECTED;
 	l2tp_info(session, L2TP_MSG_CONTROL, "%s: created\n",
 		  session->name);
@@ -863,7 +873,6 @@ static int pppol2tp_session_create(struct net *net, struct l2tp_tunnel *tunnel,
 {
 	int error;
 	struct l2tp_session *session;
-	struct pppol2tp_session *ps;
 
 	/* Error if tunnel socket is not prepped */
 	if (!tunnel->sock) {
@@ -886,9 +895,7 @@ static int pppol2tp_session_create(struct net *net, struct l2tp_tunnel *tunnel,
 		goto err;
 	}
 
-	ps = l2tp_session_priv(session);
-	mutex_init(&ps->sk_lock);
-	ps->tunnel_sock = tunnel->sock;
+	pppol2tp_session_init(session);
 
 	error = l2tp_session_register(session, tunnel);
 	if (error < 0)