> Documentation/networking/ppp_generic.rst | 9 ++
> drivers/net/ppp/ppp_generic.c| 143 ++-
> include/uapi/linux/ppp-ioctl.h | 2 +
> 3 files changed, 152 insertions(+), 2 deletions(-)
>
Reviewed-by: James Chapman
tp/l2tp_core.h | 4 +-
> net/l2tp/l2tp_eth.c | 3 +-
> net/l2tp/l2tp_netlink.c | 20 +-
> net/l2tp/l2tp_ppp.c | 3 +-
> 9 files changed, 527 insertions(+), 28 deletions(-)
> create mode 100644 net/l2tp/l2tp_ac_pppoe.c
>
Reviewed-by: James Chapman
de in l2tp_tunnel_closeall
>
> net/l2tp/l2tp_core.c| 134 +++-
> net/l2tp/l2tp_core.h| 10 ++-
> net/l2tp/l2tp_eth.c | 2 +-
> net/l2tp/l2tp_ip.c | 2 +-
> net/l2tp/l2tp_ip6.c | 2 +-
> net/l2tp/l2tp_netlink.c | 2 +-
> net/l2tp/l2tp_ppp.c | 15 ++++-
> 7 files changed, 87 insertions(+), 80 deletions(-)
>
Reviewed-by: James Chapman
oints.
>
> This patchset refactors l2tp to:
>
> * remove excessive logging
> * tweak useful log messages to use the standard pr_* calls for logging
>rather than the l2tp wrappers
> * replace debug-level logging with tracepoints
> * add tracepoints for capturing tunnel and s
On 18/08/2020 19:57, Jakub Kicinski wrote:
> On Tue, 18 Aug 2020 16:11:35 +0100 jchap...@katalix.com wrote:
>> From: James Chapman
>>
>> Kernel documentation of L2TP has not been kept up to date and lacks
>> coverage of some L2TP APIs. While addressing this, refacto
+-
> net/l2tp/l2tp_ip6.c | 2 +-
> net/l2tp/l2tp_netlink.c | 206 ++--
> net/l2tp/l2tp_ppp.c | 59 ++++++------
> 6 files changed, 169 insertions(+), 150 deletions(-)
>
Reviewed-by: James Chapman
> net/l2tp/l2tp_ip.c | 17 +
> net/l2tp/l2tp_ip6.c | 29 +++
> net/l2tp/l2tp_netlink.c | 75 ---------
> net/l2tp/l2tp_ppp.c | 20 +-
> 8 files changed, 145 insertions(+), 177 deletions(-)
>
Reviewed-by: James Chapman
ned by BPF.
I have reservations about using a bit in sk_user_data to indicate
ownership of that pointer. But putting that aside, I confirm that the
patch fixes the problem.
Acked-by: James Chapman
Tested-by: James Chapman
Reported-by: syzbot+9f092552ba9a5efca...@syzkaller.appspotmail.com
On Tue, Jul 07, 2020 at 11:31:28 -0700, Martin KaFai Lau wrote:
> On Mon, Jul 06, 2020 at 12:45:36PM -0700, David Miller wrote:
> > From: James Chapman
> > Date: Mon, 6 Jul 2020 13:12:59 +0100
> >
> > > The crash occurs in the socket destroy path. bpf_sk_reuseport_
On Wed, Jul 08, 2020 at 04:08:09 +0800, Xin Long wrote:
> On Wed, Jul 8, 2020 at 1:24 AM James Chapman wrote:
> >
> > On Tue, Jul 07, 2020 at 02:02:32 +0800, Xin Long wrote:
> > > In the tx path of l2tp, l2tp_xmit_skb() calls skb_dst_set() to set
> > > skb&#
On Tue, Jul 07, 2020 at 02:02:32 +0800, Xin Long wrote:
> In the tx path of l2tp, l2tp_xmit_skb() calls skb_dst_set() to set
> skb's dst. However, it will eventually call inet6_csk_xmit() or
> ip_queue_xmit() where skb's dst will be overwritten by:
>
>skb_dst_set_noref(skb, dst);
>
> without
I'm investigating a crash found by syzbot which turns out to be caused
by bpf_sk_reuseport_detach assuming ownership of sk_user_data in the
UDP socket destroy path and corrupts metadata of a UDP socket user (l2tp).
Here's the syzbot report:
https://syzkaller.appspot.com/bug?extid=9f092552ba9a5efca
SO_REUSEPORT were set after the
socket is initialised by l2tp.
2. Should the reuseport code have a dedicated member of struct sock
to use instead of sk_user_data such that SO_REUSEPORT can be used
by UDP encap socket users like l2tp?
Fixes: 6b9f34239b00 ("l2tp: fix races in tunnel cre
On 19/02/2019 13:09, t.mart...@avm.de wrote:
>
> Hello,
>
> thanks for your quick response.
>
> "James Chapman" schrieb am 19.02.2019 13:40:10:
>
> > Von: "James Chapman"
> > An: t.mart...@avm.de
> > Kopie: da...@davemloft.net, "net
On 19/02/2019 09:17, t.mart...@avm.de wrote:
>
> Hello,
>
> I saw that you removed the offset option from l2tp sessions in Linux
> 4.16 (commit 900631ee6a2651dc4fbaecb8ef9fa5f1e3378853 l2tp: remove
> configurable payload offset). Since we need something like that I'm
> reaching out to you.
>
Adding
On 6 March 2018 at 15:54, Eric Dumazet wrote:
> From: Eric Dumazet
>
> syzkaller found an issue caused by lack of sufficient checks
> in l2tp_tunnel_create()
>
> RAW sockets can not be considered as UDP ones for instance.
Acked-by: James Chapman
patch into separate l2tp and ppp
parts")
Signed-off-by: James Chapman
---
net/l2tp/l2tp_ppp.c | 10 --
1 file changed, 10 deletions(-)
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 59f246d7b290..2d2955e8f710 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
47bd5acde002e353...@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+6e6a5ec8de31a94cd...@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+9df43faf09bd400f2...@syzkaller.appspotmail.com
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 14 +++---
1 file changed, 7 insertions(+), 7 de
00 00 00 <49> 81 3c
24 80 93 3f 83 b8 00 00 00 00 44 0f 44 c0 83 fe 01 0f
RIP: __lock_acquire+0x263/0x1630 RSP: 88001a37fc70
CR2: 00a0
Fixes: 309795f4bec2d ("l2tp: Add netlink control API for L2TP")
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 11 ++-
could be destroyed
while its associated tunnel/session object still existed (patches 3,
4). Patch 5 addresses a problem with the way tunnels are removed from
the tunnel list. Patch 5 is tagged that it addresses all four syzbot
issues, though all 5 patches are needed.
James Chapman (5):
l2tp
02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02
00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f
a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16
Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace
close")
Signed-off-by: Jame
20 85 64 85 e
8 2a 55 14 ff <0f> 0b 83 05 ad 2a 68 04 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41
Fixes: ee40fb2e1eb5b ("l2tp: protect sock pointer of struct pppol2tp_session
with RCU")
Signed-off-by: James Chapman
---
net/l2tp/l2tp_ppp.c | 52 +++
no longer used so is removed.
Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace
close")
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 128 ++-
net/l2tp/l2tp_core.h | 26 ++-
net/l2tp/l2tp_
fixes/reported-by tags to end of commit text and add my
signoff which got dropped in v2.
James Chapman (16):
l2tp: update sk_user_data while holding sk_callback_lock
l2tp: add RCU read lock to protect tunnel ptr in ip socket destroy
l2tp: don't use inet_shutdown on tunnel destroy
Signed-off-by: James Chapman
---
net/l2tp/l2tp_ppp.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index ff95a4d4eac5..947066b3d6d8 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -172,8 +172,16 @@ static
orted-by: syzbot+8865eaff7f9acd593...@syzkaller.appspotmail.com
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 21 ++---
net/l2tp/l2tp_ppp.c | 8 ++--
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 194a7483bb93..de7
inated
tunnels")
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 7 ++-
net/l2tp/l2tp_ppp.c | 36 ++--
2 files changed, 20 insertions(+), 23 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 691fe9368d91..477b96cf8ab3 1
The tunnel's closing flag is set when the tunnel is being
destroyed. Use it to reject new sessions and remove acpt_newsess which
was doing the same thing. Also prevent the tunnel being seen in
l2tp_tunnel_get lookups.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c
v3 IP encapsulation (no UDP) support")
Signed-off-by: James Chapman
---
net/l2tp/l2tp_ip.c | 5 -
net/l2tp/l2tp_ip6.c | 5 -
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index ff61124fdf59..42f3c2f72bf4 100644
--- a/net/l2tp/l2tp_ip.c
Replace the dead flag in the session context with a closing flag and
spinlock. Check it in session lookup functions such that we don't try
to access session data while it is being destroyed.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 34 +-
net
It's hard to understand pppol2tp_connect so split it up into separate
functions and document it better.
Fixes: fd558d186d ("l2tp: Split pppol2tp patch into separate l2tp and ppp
parts")
Signed-off-by: James Chapman
---
net/l2tp/l
Handle session destroy in the same way as we handle tunnel destroy -
through a workqueue. Sessions can be destroyed either because its
socket is closed (if it has a socket) or by netlink request. A
workqueue synchronises these.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 30
00 00 00 <49> 81 3c
24 80 93 3f 83 b8 00 00 00 00 44 0f 44 c0 83 fe 01 0f
RIP: __lock_acquire+0x263/0x1630 RSP: 88001a37fc70
CR2: 00a0
Fixes: 309795f4be ("l2tp: Add netlink control API for L2TP")
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 11 ++-
ow unused so is removed.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 32
net/l2tp/l2tp_core.h | 1 -
2 files changed, 4 insertions(+), 29 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 55b1f312fedc..c909fe9273c9 100644
If when creating a new tunnel, the indicated fd is closed by another
thread, we emit an error message about it. e.g.
l2tp_core: tunl 4: sockfd_lookup(fd=3) returned -9
It's not useful so remove it.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 2 --
1 file changed, 2 dele
session.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 7 +--
net/l2tp/l2tp_core.h | 1 +
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 869dec89ff0f..d6306ba2d78e 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp
l2tp_tunnel_create now checks sk_user_data so this check is redundant
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 8
1 file changed, 8 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index c909fe9273c9..a91cd384e397 100644
--- a/net/l2tp/l2tp_core.c
400f2...@syzkaller.appspotmail.com
Reported-by: syzbot+6e6a5ec8de31a94cd...@syzkaller.appspotmail.com
Reported-by: syzbot+19c09769f14b48810...@syzkaller.appspotmail.com
Reported-by: syzbot+347bd5acde002e353...@syzkaller.appspotmail.com
Signed-off-by: James Chapman
---
net/l2tp/l2tp_ppp.c
__l2tp_session_unhash is now only used internally so there is no
reason to expose it to other l2tp modules. Rename it
l2tp_session_unhash while we're at it.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 5 ++---
net/l2tp/l2tp_core.h | 1 -
2 files changed, 2 insertions(+), 4 dele
On 12/02/18 16:22, David Miller wrote:
> From: James Chapman
> Date: Mon, 12 Feb 2018 10:11:07 +
>
>> Previously, if a tunnel was closed, we called inet_shutdown to mark
>> the socket as unconnected such that userspace would get errors and
>> then close the s
Simplify relationship with tunnel such that the session holds a ref on
the tunnel, not its socket. This guarantees that the tunnel is always
extant if one or more sessions exists on the tunnel. If the session
has a socket (ppp), have it hold a ref on the socket until the session
is destroyed.
Sinc
Since session destroy now uses a workqueue, let l2tp_session_delete
handle all the work of destroying a session. Don't remove the session
from the tunnel's list immediately. The tunnel will remain extant
until all of its sessions are gone anyway.
The session's dead flag is now unused so is removed
Previously, if a tunnel was closed, we called inet_shutdown to mark
the socket as unconnected such that userspace would get errors and
then close the socket. This could race with userspace closing the
socket. Instead, leave userspace to close the socket in its own time
(our tunnel will be detached
It's hard to understand pppol2tp_connect so split it up into separate
functions and document it better.
Fixes: fd558d186d ("l2tp: Split pppol2tp patch into separate l2tp and ppp
parts")
---
net/l2tp/l2tp_ppp.c | 307 +++-
1 file changed, 185 insert
If an L2TPIP socket is closed, add RCU protection when we deref
sk_user_data to prevent races with another thread closing the same
tunnel.
Fixes: 0d76751fad ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
refcount_t: increment on 0; use-after-free.
WARNING: CPU: 2 PID: 2892 at lib/refcou
Since L2TP hooks on sockets opened by userspace using sk_user_data, we
may race with other socket families that attempt to use the same
socket.
This problem was discovered by syzbot using AF_KCM. KCM has since been
modified to use only TCP sockets to avoid hitting this issue but we
should prevent
Handle session destroy in the same way as we handle tunnel destroy -
through a workqueue. Sessions can be destroyed either because its
socket is closed (if it has a socket) or by netlink request. A
workqueue synchronises these.
---
net/l2tp/l2tp_core.c | 30 +++---
net/l2tp
__l2tp_session_unhash is now only used internally so there is no
reason to expose it to other l2tp modules. Rename it
l2tp_session_unhash while we're at it.
---
net/l2tp/l2tp_core.c | 5 ++---
net/l2tp/l2tp_core.h | 1 -
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/l2tp/l2tp_
l2tp_tunnel_create now checks sk_user_data so this check is redundant
---
net/l2tp/l2tp_core.c | 8
1 file changed, 8 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index c909fe9273c9..a91cd384e397 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -14
Use l2tp core's session_free callback to drive the ppp session
cleanup. PPP sessions are cleaned up by RCU. The PPP session socket is
allowed to close only when the session is freed.
With this patch, the following syzbot bug reports are finally fixed.
Reported-by: syzbot+9df43faf09bd400f2...@syzk
Ensure that the tunnel's socket is always extant while the tunnel
object exists. Hold a ref on the socket until the tunnel is destroyed
and ensure that all tunnel destroy paths go through a common function
(l2tp_tunnel_delete).
Since the tunnel's socket is now guaranteed to exist if the tunnel
exi
---
net/l2tp/l2tp_ppp.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index ff95a4d4eac5..947066b3d6d8 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -172,8 +172,16 @@ static inline struct l2tp_session
*pppol
)
its socket closed. (patches 10-13)
6. Misc cleanups made possible by the refactoring done in this
series. (patches 14-16)
Changes in v2:-
Fix compile error that would have broken bisect.
James Chapman (16):
l2tp: update sk_user_data while holding sk_callback_lock
l2tp: add RCU
Replace the dead flag in the session context with a closing flag and
spinlock. Check it in session lookup functions such that we don't try
to access session data while it is being destroyed.
---
net/l2tp/l2tp_core.c | 34 +-
net/l2tp/l2tp_core.h | 2 ++
2 files cha
If when creating a new tunnel, the indicated fd is closed by another
thread, we emit an error message about it. e.g.
l2tp_core: tunl 4: sockfd_lookup(fd=3) returned -9
It's not useful so remove it.
---
net/l2tp/l2tp_core.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/l2tp/l2tp_cor
The tunnel's closing flag is set when the tunnel is being
destroyed. Use it to reject new sessions and remove acpt_newsess which
was doing the same thing. Also prevent the tunnel being seen in
l2tp_tunnel_get lookups.
---
net/l2tp/l2tp_core.c | 27 +--
net/l2tp/l2tp_core.h
When a session refcount hits 0, the session is freed via
l2tp_session_free. Some pseudowires (ppp, eth) may have additional
resources to free when this happens. Add a session_free callback that
can be used by pseudowires to override the default kfree. The callback
is responsible for freeing the ses
4 02 5d c3 80 3d 97 87 bb 01 00 75 f5
48 c7 c7 58 3e cc 82 c6 05 87 87 bb 01
Signed-off-by: James Chapman
---
net/l2tp/l2tp_ip.c | 5 -
net/l2tp/l2tp_ip6.c | 5 -
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index ff61124fdf59..42
2/0x670 net/l2tp/l2tp_ppp.c:304 RSP: 8801d4887438
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 21 ++---
net/l2tp/l2tp_ppp.c | 8 ++--
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 194a7483bb93..de7
If when creating a new tunnel, the indicated fd is closed by another
thread, we emit an error message about it. e.g.
l2tp_core: tunl 4: sockfd_lookup(fd=3) returned -9
It's not useful so remove it.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 2 --
1 file changed, 2 dele
It's hard to understand pppol2tp_connect so split it up into separate
functions and document it better.
Fixes: fd558d186d ("l2tp: Split pppol2tp patch into separate l2tp and ppp
parts")
Signed-off-by: James Chapman
---
net/l2tp/l
The tunnel's closing flag is set when the tunnel is being
destroyed. Use it to reject new sessions and remove acpt_newsess which
was doing the same thing. Also prevent the tunnel being seen in
l2tp_tunnel_get lookups.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c
no longer used so is removed.
Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace
close")
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 128 ++-
net/l2tp/l2tp_core.h | 26 ++-
net/l2tp/l2tp_
session.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 7 +--
net/l2tp/l2tp_core.h | 1 +
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 869dec89ff0f..d6306ba2d78e 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp
400f2...@syzkaller.appspotmail.com
Reported-by: syzbot+6e6a5ec8de31a94cd...@syzkaller.appspotmail.com
Reported-by: syzbot+19c09769f14b48810...@syzkaller.appspotmail.com
Reported-by: syzbot+347bd5acde002e353...@syzkaller.appspotmail.com
Signed-off-by: James Chapman
---
net/l2tp/l2tp_ppp.c
Replace the dead flag in the session context with a closing flag and
spinlock. Check it in session lookup functions such that we don't try
to access session data while it is being destroyed.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 34 +-
net
__l2tp_session_unhash is now only used internally so there is no
reason to expose it to other l2tp modules. Rename it
l2tp_session_unhash while we're at it.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 5 ++---
net/l2tp/l2tp_core.h | 1 -
2 files changed, 2 insertions(+), 4 dele
Handle session destroy in the same way as we handle tunnel destroy -
through a workqueue. Sessions can be destroyed either because its
socket is closed (if it has a socket) or by netlink request. A
workqueue synchronises these.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 30
l2tp_tunnel_create now checks sk_user_data so this check is redundant
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 8
1 file changed, 8 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index c909fe9273c9..a91cd384e397 100644
--- a/net/l2tp/l2tp_core.c
f ff 1f 00 00 0f 87 7a 13 00 00 45 85 f6 49 8b 85
68 08 00 00 0f 84 ae 03 00 00 c7 44 24 18 00 00 00 00 e9 f0 00 00 00 <49> 81 3c
24 80 93 3f 83 b8 00 00 00 00 44 0f 44 c0 83 fe 01 0f
RIP: __lock_acquire+0x263/0x1630 RSP: 88001a37fc70
CR2: 00a0
Signed-off-by: James Chapma
)
its socket closed. (patches 10-13)
6. Misc cleanups made possible by the refactoring done in this
series. (patches 14-16)
James Chapman (16):
l2tp: update sk_user_data while holding sk_callback_lock
l2tp: add RCU read lock to protect tunnel ptr in ip socket destroy
l2tp: don'
inated
tunnels")
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c | 7 ++-
net/l2tp/l2tp_ppp.c | 36 ++--
2 files changed, 20 insertions(+), 23 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 691fe9368d91..477b96cf8ab3 1
Since session destroy now uses a workqueue, let l2tp_session_delete
handle all the work of destroying a session. Don't remove the session
from the tunnel's list immediately. The tunnel will remain extant
until all of its sessions are gone anyway.
Signed-off-by: James Chapman
---
Signed-off-by: James Chapman
---
net/l2tp/l2tp_ppp.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index ff95a4d4eac5..947066b3d6d8 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -172,8 +172,16 @@ static
I'm currently working on fixes for various l2tp problems reported by
syzbot. If anyone else is also working on this, please get back to me
so that we can avoid duplicate effort.
The syzbot reports are:
9df43faf0 KASAN: use-after-free Read in pppol2tp_connect
6e6a5ec8d general protection fault in p
On 18 January 2018 at 16:29, Guillaume Nault wrote:
> On Thu, Jan 18, 2018 at 03:40:52PM +0000, James Chapman wrote:
>> On 18 January 2018 at 15:18, Guillaume Nault wrote:
>> > On Wed, Jan 17, 2018 at 02:25:38PM -0500, David Miller wrote:
>> >> If all else was equa
On 18 January 2018 at 15:18, Guillaume Nault wrote:
> On Wed, Jan 17, 2018 at 02:25:38PM -0500, David Miller wrote:
>> From: James Chapman
>> Date: Wed, 17 Jan 2018 11:13:33 +
>>
>> > On 16 January 2018 at 19:00, David Miller wrote:
>> >> From: To
attribute as not used
>>
> Nice. Thanks for doing this work Lorenzo.
Acked-by: James Chapman
On 16 January 2018 at 19:00, David Miller wrote:
> From: Tom Herbert
> Date: Tue, 16 Jan 2018 09:36:41 -0800
>
>> sk_user_data is set with the sk_callback lock held in code below.
>> Should be able to take the lock earlier can do this check under the
>> lock.
>
> csock, and this csk, is obtained
On 15 January 2018 at 21:18, Lorenzo Bianconi
wrote:
>> On Sun, Jan 14, 2018 at 03:50:54PM +0100, Lorenzo Bianconi wrote:
>>> Although this issue is harmless since that code path is protected by the
>>> check on l2tp_nl_cmd_ops[]/l2tp_nl_cmd_ops[]->session_create(), fix error
>>> handling for L2TP
pp.c:176 [inline] RSP:
8801d4887438
RIP: pppol2tp_sendmsg+0x512/0x670 net/l2tp/l2tp_ppp.c:304 RSP: 8801d4887438
Reported-by: syzbot+114b15f2be420a888...@syzkaller.appspotmail.com
Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
Signed-off-by: James Chapman
; + * Cookie value and sublayer format are negotiated with the peer when
> + * the session is set up. Unlike L2TPv2, we do not need to parse the
> + * packet header to determine if optional fields are present.
> *
> * Caller must already have parsed the frame and determined that it is
> * a data (not control) frame before coming here. Fields up to the
Acked-by: James Chapman
On 04/01/18 10:25, Guillaume Nault wrote:
>> diff --git a/net/l2tp/l2tp_debugfs.c b/net/l2tp/l2tp_debugfs.c
>> index eb69411..2c30587 100644
>> --- a/net/l2tp/l2tp_debugfs.c
>> +++ b/net/l2tp/l2tp_debugfs.c
>> @@ -180,8 +180,8 @@ static void l2tp_dfs_seq_session_show(struct seq_file
>> *m, void *v
number of bytes padding between L2TPv3 header and
payload. This is not compliant with L2TPv3 RFC3931. So this change
removes the configurable offset altogether while retaining
L2TP_ATTR_OFFSET in the API for backwards compatibility. If
L2TP_ATTR_OFFSET is given, its value is now silently igno
Signed-off-by: James Chapman
---
include/uapi/linux/l2tp.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/l2tp.h b/include/uapi/linux/l2tp.h
index d84ce5c..f78eef4 100644
--- a/include/uapi/linux/l2tp.h
+++ b/include/uapi/linux/l2tp.h
@@ -94,7 +94,7
Revert commit 820da5357572 ("l2tp: fix missing print session offset
info"). The peer_offset parameter is removed.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_netlink.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
ind
FSET
value is ignored.
Signed-off-by: James Chapman
---
net/l2tp/l2tp_core.c| 14 --
net/l2tp/l2tp_core.h| 3 ---
net/l2tp/l2tp_debugfs.c | 4 ++--
net/l2tp/l2tp_netlink.c | 3 ---
4 files changed, 6 insertions(+), 18 deletions(-)
diff --git a/net/l2tp/l2tp_core.c
Revert commit f15bc54eeecd ("l2tp: add peer_offset parameter"). This
is removed because it is adding another configurable offset and
configurable offsets are being removed.
Signed-off-by: James Chapman
---
include/uapi/linux/l2tp.h | 1 -
net/l2tp/l2tp_core.c | 3 +--
On 02/01/18 20:08, James Chapman wrote:
On 02/01/18 18:05, Guillaume Nault wrote:
Lorenzo, is this being added to fix interoperability with another
L2TPv3
implementation? If so, can you share more details?
Hi James,
I introduced peer_offset parameter to fix a specific setup where
tunnel
On 02/01/18 17:50, Guillaume Nault wrote:
On Fri, Dec 29, 2017 at 06:53:56PM +, James Chapman wrote:
On 28/12/17 19:45, Guillaume Nault wrote:
Here we have an option that:
* creates invalid packets (AFAIK),
* is buggy and leaks memory on the network,
* doesn't seem to hav
On 02/01/18 19:28, Lorenzo Bianconi wrote:
Lorenzo, is this being added to fix interoperability with another L2TPv3
implementation? If so, can you share more details?
Hi James,
I introduced peer_offset parameter to fix a specific setup where
tunnel endpoints
running L2TPv3 would use different
On 02/01/18 18:05, Guillaume Nault wrote:
Lorenzo, is this being added to fix interoperability with another L2TPv3
implementation? If so, can you share more details?
Hi James,
I introduced peer_offset parameter to fix a specific setup where
tunnel endpoints
running L2TPv3 would use different v
Sorry for only just seeing this (vacation).
On 28/12/17 19:45, Guillaume Nault wrote:
On Thu, Dec 28, 2017 at 07:23:48PM +0100, Lorenzo Bianconi wrote:
On Dec 28, Guillaume Nault wrote:
After a quick review of L2TPv3 and pseudowires RFCs, I still don't see
how adding some padding between the L
On 6 October 2017 at 05:45, SviMik wrote:
> 2017-10-04 10:49 GMT+03:00 James Chapman :
>> On 3 October 2017 at 08:27, James Chapman wrote:
>>> For capturing complete oops messages, have you tried setting up
>>> netconsole? You might also find the full text in the syslo
On 3 October 2017 at 08:27, James Chapman wrote:
> On 2 October 2017 at 19:35, SviMik wrote:
>> Hi, James!
>>
>> No, I'm suffering from kernel panics since I started using 4.x
>> kernels.
> It's interesting that you are seeing l2tp issues since switchi
syslog on reboot.
> 2017-10-02 16:56 GMT+03:00 Eric Dumazet :
>> CC svi...@gmail.com so that he is aware of this netdev thread.
>>
>> On Mon, 2017-10-02 at 14:32 +0100, James Chapman wrote:
>>> This seems to be a NULL pointer exception caused by tunnel->sock being
>
This seems to be a NULL pointer exception caused by tunnel->sock being
NULL at the call to bh_lock_sock() in l2tp_xmit_skb() at
l2tp_core.c:1135.
tunnel->sock is set NULL in l2tp_core's tunnel socket destructor.
At the moment, I don't understand how this happens because
pppol2tp_xmit() does a soc
On 24/04/17 13:16, Guillaume Nault wrote:
> Export type of l2tpeth interfaces to userspace
> (/sys/class/net//uevent).
>
> Signed-off-by: Guillaume Nault
Acked-by: James Chapman
On 24/04/17 13:16, Guillaume Nault wrote:
> Export naming scheme used when creating l2tpeth interfaces
> (/sys/class/net//name_assign_type). This let userspace know if
> the device's name has been generated automatically or defined manually.
>
> Signed-off-by: Guillaume Na
>>>
>>> Signed-off-by: R. Parameswaran
>> Just use the IPv4/IPv6 header size for now, just like the VXLAN
>> driver does.
>>
> Actually, that's how the original posting was - it was changed in
> response to a review comment from James Chapman requesting
1 - 100 of 224 matches
Mail list logo
