summaryrefslogtreecommitdiff
path: root/drivers/net/pppol2tp.c
AgeCommit message (Collapse)AuthorFilesLines
2008-06-10l2tp: Fix potential memory corruption in pppol2tp_recvmsg()James Chapman1-8/+12
This patch fixes a potential memory corruption in pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer length, memcpy_toiovec() will go into unintialized data on the kernel heap, interpret it as an iovec and start modifying memory. The fix is to change the memcpy_toiovec() call to skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP) are handled properly. Also check that the caller's buffer is big enough for the data and set the MSG_TRUNC flag if it is not so. Reported-by: Ilja <ilja@netric.org> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-06-05l2tp: Fix possible oops if transmitting or receiving when tunnel goes downJames Chapman1-23/+78
Some problems have been experienced in the field which cause an oops in the pppol2tp driver if L2TP tunnels fail while passing data. The pppol2tp driver uses private data that is referenced via the sk->sk_user_data of its UDP and PPPoL2TP sockets. This patch makes sure that the driver uses sock_hold() when it holds a reference to the sk pointer. This affects its sendmsg(), recvmsg(), getname(), [gs]etsockopt() and ioctl() handlers. Tested by ISP where problem was seen. System has been up 10 days with no oops since running this patch. Without the patch, an oops would occur every 1-2 days. Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-06-05lt2p: Fix possible WARN_ON from socket code when UDP socket is closedJames Chapman1-0/+10
If an L2TP daemon closes a tunnel socket while packets are queued in the tunnel's reorder queue, a kernel warning is logged because the socket is closed while skbs are still referencing it. The fix is to purge the queue in the socket's release handler. WARNING: at include/net/sock.h:351 udp_lib_unhash+0x41/0x68() Pid: 12998, comm: openl2tpd Not tainted 2.6.25 #8 [<c0423c58>] warn_on_slowpath+0x41/0x51 [<c05d33a7>] udp_lib_unhash+0x41/0x68 [<c059424d>] sk_common_release+0x23/0x90 [<c05d16be>] udp_lib_close+0x8/0xa [<c05d8684>] inet_release+0x42/0x48 [<c0592599>] sock_release+0x14/0x60 [<c059299f>] sock_close+0x29/0x30 [<c046ef52>] __fput+0xad/0x15b [<c046f1d9>] fput+0x17/0x19 [<c046c8c4>] filp_close+0x50/0x5a [<c046da06>] sys_close+0x69/0x9f [<c04048ce>] syscall_call+0x7/0xb Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-20l2tp: avoid skb truesize bug if headroom is increasedJames Chapman1-5/+8
A user reported seeing occasional bugs such as the following when using the L2TP driver. SKB BUG: Invalid truesize (272) len=72, sizeof(sk_buff)=208 When L2TP adds its header in the transmit path, it might need to increase the headroom of the skb. In some cases, the increased headroom trips a kernel bug when the skb is freed because the skb has grown beyond its truesize value. The fix is to increase the truesize by the amount of headroom added, after orphaning the skb. While here, fix a misleading comment. Thanks to Iouri Kharon <bc-info@styx.cabel.net> for the initial report and testing the fix. Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-13pppol2tp: Remove null pointer dereference.Julia Lawall1-3/+10
If session is NULL, it is not possible to access its name field. So I have split apart the printing of the error message to drop the printing of the name field in this case. The macro PRINTK actually only evaluates its arguments starting with the third one if the bitwise conjunction of the first two is non-zero. Normally, this conjunction would only be non-zero if debugging mode were turned on, but when session is NULL, the first argument in both the old and new code is -1, and thus the bitwise conjunction is true. Perhaps a different strategy is desired, such as using tunnel->debug, which session->debug is initialized to, but tunnel can also be NULL, so this does not completely solve the problem. This problem was found using the following semantic match (http://www.emn.fr/x-info/coccinelle/) // <smpl> @@ expression E, E1; identifier f; statement S1,S2,S3; @@ * if (E == NULL) { ... when != if (E == NULL) S1 else S2 when != E = E1 * E->f ... when any return ...; } else S3 // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-04-29netdev: use non-racy method for proc entries creationDenis V. Lunev1-2/+2
Use proc_create()/proc_create_data() to make sure that ->proc_fops and ->data be setup before gluing PDE to main tree. Signed-off-by: Denis V. Lunev <den@openvz.org> Cc: Jeff Garzik <jgarzik@pobox.com> Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-03-06[PPPOL2TP]: Fix SMP issues in skb reorder queue handlingJames Chapman1-3/+8
When walking a session's packet reorder queue, use skb_queue_walk_safe() since the list could be modified inside the loop. Rearrange the unlinking skbs from the reorder queue such that it is done while the queue lock is held in pppol2tp_recv_dequeue() when walking the skb list. A version of this patch was suggested by Jarek Poplawski. Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-03-06[PPPOL2TP]: Make locking calls softirq-safeJames Chapman1-29/+29
Fix locking issues in the pppol2tp driver which can cause a kernel crash on SMP boxes. There were two problems:- 1. The driver was violating read_lock() and write_lock() scheduling rules because it wasn't using softirq-safe locks in softirq contexts. So we now consistently use the _bh variants of the lock functions. 2. The driver was calling sk_dst_get() in pppol2tp_xmit() which was taking sk_dst_lock in softirq context. We now call __sk_dst_get(). Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-03-04[PPPOL2TP]: Add missing sock_put() in pppol2tp_tunnel_closeall()Jarek Poplawski1-1/+6
Every skb removed from session->reorder_q needs sock_put(). Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Acked-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-03-04Subject: [PPPOL2TP] add missing sock_put() in pppol2tp_recv_dequeue()Jarek Poplawski1-0/+1
Every skb removed from session->reorder_q needs sock_put(). Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Acked-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-10pppol2tp: fix printk warningsAndrew Morton1-10/+12
drivers/net/pppol2tp.c: In function `pppol2tp_seq_tunnel_show': drivers/net/pppol2tp.c:2295: warning: long long unsigned int format, __u64 arg (arg 4) drivers/net/pppol2tp.c:2295: warning: long long unsigned int format, __u64 arg (arg 5) drivers/net/pppol2tp.c:2295: warning: long long unsigned int format, __u64 arg (arg 6) drivers/net/pppol2tp.c:2295: warning: long long unsigned int format, __u64 arg (arg 7) drivers/net/pppol2tp.c:2295: warning: long long unsigned int format, __u64 arg (arg 8) drivers/net/pppol2tp.c:2295: warning: long long unsigned int format, __u64 arg (arg 9) drivers/net/pppol2tp.c: In function `pppol2tp_seq_session_show': drivers/net/pppol2tp.c:2328: warning: long long unsigned int format, __u64 arg (arg 5) drivers/net/pppol2tp.c:2328: warning: long long unsigned int format, __u64 arg (arg 6) drivers/net/pppol2tp.c:2328: warning: long long unsigned int format, __u64 arg (arg 7) drivers/net/pppol2tp.c:2328: warning: long long unsigned int format, __u64 arg (arg 8) drivers/net/pppol2tp.c:2328: warning: long long unsigned int format, __u64 arg (arg 9) drivers/net/pppol2tp.c:2328: warning: long long unsigned int format, __u64 arg (arg 10) Not all platforms implement u64 with unsigned long long. eg: powerpc. Cc: Jeff Garzik <jeff@garzik.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-06[PPPOL2TP]: Label unused warning when CONFIG_PROC_FS is not set.Rami Rosen1-1/+2
When CONFIG_PROC_FS is not set and CONFIG_PPPOL2TP is set, we have the following warning in build: drivers/net/pppol2tp.c: In function 'pppol2tp_init': drivers/net/pppol2tp.c:2472: warning: label 'out_unregister_pppox_proto' defined but not used This patches fixes this warning by adding appropriate #ifdef. Signed-off-by: Rami Rosen <ramirose@gmail.com> Acked-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-29drivers/net: Add missing "space"Joe Perches1-1/+1
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-11-07[PPP]: L2TP: Fix oops in transmit and receive pathsJames Chapman1-7/+18
Changes made on 18-sep to fix skb handling in the pppol2tp driver broke the transmit and receive paths. Users are only running into this now because distros are now using 2.6.23 and I must have messed up when I tested the change. For receive, we now do our own calculation of how much to pull from the skb (variable length L2TP header) rather than using skb_transport_offset(). Also, if the skb isn't a data packet, it must be passed back to UDP with skb->data pointing to the UDP header. For transmit, make sure skb->sk is set up because ip_queue_xmit() needs it. Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-11-01[NET]: Forget the zero_it argument of sk_alloc()Pavel Emelyanov1-1/+1
Finally, the zero_it argument can be completely removed from the callers and from the function prototype. Besides, fix the checkpatch.pl warnings about using the assignments inside if-s. This patch is rather big, and it is a part of the previous one. I splitted it wishing to make the patches more readable. Hope this particular split helped. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-11[NET]: Make socket creation namespace safe.Eric W. Biederman1-2/+2
This patch passes in the namespace a new socket should be created in and has the socket code do the appropriate reference counting. By virtue of this all socket create methods are touched. In addition the socket create methods are modified so that they will fail if you attempt to create a socket in a non-default network namespace. Failing if we attempt to create a socket outside of the default network namespace ensures that as we incrementally make the network stack network namespace aware we will not export functionality that someone has not audited and made certain is network namespace safe. Allowing us to partially enable network namespaces before all of the exotic protocols are supported. Any protocol layers I have missed will fail to compile because I now pass an extra parameter into the socket creation code. [ Integrated AF_IUCV build fixes from Andrew Morton... -DaveM ] Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-11[NET]: Make /proc/net per network namespaceEric W. Biederman1-2/+3
This patch makes /proc/net per network namespace. It modifies the global variables proc_net and proc_net_stat to be per network namespace. The proc_net file helpers are modified to take a network namespace argument, and all of their callers are fixed to pass &init_net for that argument. This ensures that all of the /proc/net files are only visible and usable in the initial network namespace until the code behind them has been updated to be handle multiple network namespaces. Making /proc/net per namespace is necessary as at least some files in /proc/net depend upon the set of network devices which is per network namespace, and even more files in /proc/net have contents that are relevant to a single network namespace. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-20[PPP] L2TP: Fix skb handling in pppol2tp_xmitHerbert Xu1-40/+23
This patch makes pppol2tp_xmit call skb_cow_head so that we don't modify cloned skb data. It also gets rid of skb2 we only need to preserve the original skb for congestion notification, which is only applicable for ppp_async and ppp_sync. The other semantic change made here is the removal of socket accounting for data tranmitted out of pppol2tp_xmit. The original code leaked any existing socket skb accounting. We could fix this by dropping the original skb owner. However, this is undesirable as the packet has not physically left the host yet. In fact, all other tunnels in the kernel do not account skb's passing through to their own socket. In partciular, ESP over UDP does not do so and it is the closest tunnel type to PPPoL2TP. So this patch simply removes the socket accounting in pppol2tp_xmit. The accounting still applies to control packets of course. I've also added a reminder that the outgoing checksum here doesn't work. I suppose existing deployments don't actually enable checksums. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-20[PPP] L2TP: Fix skb handling in pppol2tp_recv_coreHerbert Xu1-20/+24
The function pppol2tp_recv_core doesn't handle non-linear packets properly. It also fails to check the remote offset field. This patch fixes these problems. It also removes an unnecessary check on the UDP header which has already been performed by the UDP layer. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-20[PPP] L2TP: Disallow non-UDP datagram socketsHerbert Xu1-5/+6
With the addition of UDP-Lite we need to refine the socket check so that only genuine UDP sockets are allowed through. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-26misannotation in pppol2tpAl Viro1-2/+2
Address of auto variable is not a userland pointer. A good thing, too, since if pppol2tp_tunnel_getsockopt() would _really_ get a userland pointer as argument, it would be an instant roothole... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-18[PPPOL2TP]: Reset meta-data in xmit functionPatrick McHardy1-0/+6
Reset netfilter data and IP CB, fix dst_entry leak. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-18[PPPOL2TP]: Fix use-after-freePatrick McHardy1-4/+8
Don't use skb->len after passing it to ip_queue_xmit. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-11[PPPOL2TP]: Use proper printf format specifier for size_t.David S. Miller1-2/+2
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-11[L2TP]: PPP over L2TP driver coreJames Chapman1-0/+2486
This driver handles only L2TP data frames; control frames are handled by a userspace application. It implements L2TP using the PPPoX socket family. There is a PPPoX socket for each L2TP session in an L2TP tunnel. PPP data within each session is passed through the kernel's PPP subsystem via this driver. Kernel parameters of each socket can be read or modified using ioctl() or [gs]etsockopt() calls. Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>