From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, James Chapman <jchapman@katalix.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [53/65] l2tp: l2tp_ip - fix possible oops on packet receive
Date: Wed, 01 Feb 2012 12:56:33 -0800 [thread overview]
Message-ID: <20120201205742.099348948@clark.kroah.org> (raw)
In-Reply-To: <20120201210236.GA25966@kroah.com>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Chapman <jchapman@katalix.com>
[ Upstream commit 68315801dbf3ab2001679fd2074c9dc5dcf87dfa ]
When a packet is received on an L2TP IP socket (L2TPv3 IP link
encapsulation), the l2tpip socket's backlog_rcv function calls
xfrm4_policy_check(). This is not necessary, since it was called
before the skb was added to the backlog. With CONFIG_NET_NS enabled,
xfrm4_policy_check() will oops if skb->dev is null, so this trivial
patch removes the call.
This bug has always been present, but only when CONFIG_NET_NS is
enabled does it cause problems. Most users are probably using UDP
encapsulation for L2TP, hence the problem has only recently
surfaced.
EIP: 0060:[<c12bb62b>] EFLAGS: 00210246 CPU: 0
EIP is at l2tp_ip_recvmsg+0xd4/0x2a7
EAX: 00000001 EBX: d77b5180 ECX: 00000000 EDX: 00200246
ESI: 00000000 EDI: d63cbd30 EBP: d63cbd18 ESP: d63cbcf4
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Call Trace:
[<c1218568>] sock_common_recvmsg+0x31/0x46
[<c1215c92>] __sock_recvmsg_nosec+0x45/0x4d
[<c12163a1>] __sock_recvmsg+0x31/0x3b
[<c1216828>] sock_recvmsg+0x96/0xab
[<c10b2693>] ? might_fault+0x47/0x81
[<c10b2693>] ? might_fault+0x47/0x81
[<c1167fd0>] ? _copy_from_user+0x31/0x115
[<c121e8c8>] ? copy_from_user+0x8/0xa
[<c121ebd6>] ? verify_iovec+0x3e/0x78
[<c1216604>] __sys_recvmsg+0x10a/0x1aa
[<c1216792>] ? sock_recvmsg+0x0/0xab
[<c105a99b>] ? __lock_acquire+0xbdf/0xbee
[<c12d5a99>] ? do_page_fault+0x193/0x375
[<c10d1200>] ? fcheck_files+0x9b/0xca
[<c10d1259>] ? fget_light+0x2a/0x9c
[<c1216bbb>] sys_recvmsg+0x2b/0x43
[<c1218145>] sys_socketcall+0x16d/0x1a5
[<c11679f0>] ? trace_hardirqs_on_thunk+0xc/0x10
[<c100305f>] sysenter_do_call+0x12/0x38
Code: c6 05 8c ea a8 c1 01 e8 0c d4 d9 ff 85 f6 74 07 3e ff 86 80 00 00 00 b9 17 b6 2b c1 ba 01 00 00 00 b8 78 ed 48 c1 e8 23 f6 d9 ff <ff> 76 0c 68 28 e3 30 c1 68 2d 44 41 c1 e8 89 57 01 00 83 c4 0c
Signed-off-by: James Chapman <jchapman@katalix.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/l2tp/l2tp_ip.c | 5 -----
1 file changed, 5 deletions(-)
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -393,11 +393,6 @@ static int l2tp_ip_backlog_recv(struct s
{
int rc;
- if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
- goto drop;
-
- nf_reset(skb);
-
/* Charge it to the socket, dropping if the queue is full. */
rc = sock_queue_rcv_skb(sk, skb);
if (rc < 0)
next prev parent reply other threads:[~2012-02-01 21:45 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-01 21:02 [00/65] 3.0.19-stable review Greg KH
2012-02-01 20:55 ` [01/65] ALSA: hda - Fix silent outputs from docking-station jacks of Dell laptops Greg KH
2012-02-01 20:55 ` [02/65] eCryptfs: Sanitize write counts of /dev/ecryptfs Greg KH
2012-02-01 20:55 ` [03/65] ecryptfs: Improve metadata read failure logging Greg KH
2012-02-01 20:55 ` [04/65] eCryptfs: Make truncate path killable Greg KH
2012-02-01 20:55 ` [05/65] eCryptfs: Check inode changes in setattr Greg KH
2012-02-01 20:55 ` [06/65] eCryptfs: Fix oops when printing debug info in extent crypto functions Greg KH
2012-02-01 20:55 ` [07/65] drm/radeon/kms: Add an MSI quirk for Dell RS690 Greg KH
2012-02-01 20:55 ` [08/65] drm: Fix authentication kernel crash Greg KH
2012-02-01 20:55 ` [09/65] xfs: Fix missing xfs_iunlock() on error recovery path in xfs_readlink() Greg KH
2012-02-01 20:55 ` [10/65] crypto: sha512 - make it work, undo percpu message schedule Greg KH
2012-02-01 20:55 ` [11/65] crypto: sha512 - reduce stack usage to safe number Greg KH
2012-02-01 20:55 ` [12/65] ftrace: Balance records when updating the hash Greg KH
2012-02-01 20:55 ` [13/65] ftrace: Update filter when tracing enabled in set_ftrace_filter() Greg KH
2012-02-01 20:55 ` [14/65] ftrace: Fix unregister ftrace_ops accounting Greg KH
2012-02-01 20:55 ` [15/65] ah: Dont return NET_XMIT_DROP on input Greg KH
2012-02-01 20:55 ` [16/65] xfs: fix endian conversion issue in discard code Greg KH
2012-02-01 20:55 ` [17/65] x86/uv: Fix uv_gpa_to_soc_phys_ram() shift Greg KH
2012-02-01 20:55 ` [18/65] x86/microcode_amd: Add support for CPU family specific container files Greg KH
2012-02-01 20:55 ` [19/65] ALSA: hda - Fix silent output on ASUS A6Rp Greg KH
2012-02-01 20:56 ` [20/65] ALSA: hda - Fix silent output on Haier W18 laptop Greg KH
2012-02-01 20:56 ` [21/65] drm/i915/sdvo: always set positive sync polarity Greg KH
2012-02-01 20:56 ` [22/65] cap_syslog: dont use WARN_ONCE for CAP_SYS_ADMIN deprecation warning Greg KH
2012-02-01 20:56 ` [23/65] mach-ux500: enable ARM errata 764369 Greg KH
2012-02-01 20:56 ` [24/65] ARM: 7296/1: proc-v7.S: remove HARVARD_CACHE preprocessor guards Greg KH
2012-02-01 20:56 ` [25/65] USB: option: Add LG docomo L-02C Greg KH
2012-02-01 20:56 ` [26/65] USB: ftdi_sio: fix TIOCSSERIAL baud_base handling Greg KH
2012-02-01 20:56 ` [27/65] USB: ftdi_sio: fix initial baud rate Greg KH
2012-02-01 20:56 ` [28/65] USB: ftdi_sio: add PID for TI XDS100v2 / BeagleBone A3 Greg KH
2012-02-01 20:56 ` [29/65] USB: serial: ftdi additional IDs Greg KH
2012-02-01 20:56 ` [30/65] USB: ftdi_sio: Add more identifiers Greg KH
2012-02-01 20:56 ` [31/65] USB: cdc-wdm: updating desc->length must be protected by spin_lock Greg KH
2012-02-01 20:56 ` [32/65] USB: cdc-wdm: use two mutexes to allow simultaneous read and write Greg KH
2012-02-01 20:56 ` [33/65] qcaux: add more Pantech UML190 and UML290 ports Greg KH
2012-02-01 20:56 ` [34/65] usb: io_ti: Make edge_remove_sysfs_attrs the port_remove method Greg KH
2012-02-01 20:56 ` [35/65] TTY: fix UV serial console regression Greg KH
2012-02-01 20:56 ` [36/65] serial: amba-pl011: lock console writes against interrupts Greg KH
2012-02-01 20:56 ` [37/65] jsm: Fixed EEH recovery error Greg KH
2012-02-01 20:56 ` [38/65] vmwgfx: Fix assignment in vmw_framebuffer_create_handle Greg KH
2012-02-01 20:56 ` [39/65] USB: usbsevseg: fix max length Greg KH
2012-02-01 20:56 ` [40/65] drivers/usb/host/ehci-fsl.c: add missing iounmap Greg KH
2012-02-01 20:56 ` [41/65] xhci: Fix USB 3.0 device restart on resume Greg KH
2012-02-01 20:56 ` [42/65] xHCI: Cleanup isoc transfer ring when TD length mismatch found Greg KH
2012-02-01 20:56 ` [43/65] hwmon: (f71805f) Fix clamping of temperature limits Greg KH
2012-02-01 20:56 ` [44/65] hwmon: (w83627ehf) Disable setting DC mode for pwm2, pwm3 on NCT6776F Greg KH
2012-02-01 20:56 ` [45/65] hwmon: (sht15) fix bad error code Greg KH
2012-02-01 20:56 ` [46/65] USB: cdc-wdm: call wake_up_all to allow driver to shutdown on device removal Greg KH
2012-02-01 20:56 ` [47/65] USB: cdc-wdm: better allocate a buffer that is at least as big as we tell the USB core Greg KH
2012-02-01 20:56 ` [48/65] USB: cdc-wdm: Avoid hanging on interface with no USB_CDC_DMM_TYPE Greg KH
2012-02-01 20:56 ` [49/65] netns: fix net_alloc_generic() Greg KH
2012-02-01 20:56 ` [50/65] netns: Fail conspicously if someone uses net_generic at an inappropriate time Greg KH
2012-02-01 20:56 ` [51/65] net caif: Register properly as a pernet subsystem Greg KH
2012-02-01 20:56 ` [52/65] bonding: fix enslaving in alb mode when link down Greg KH
2012-02-01 20:56 ` Greg KH [this message]
2012-02-01 20:56 ` [54/65] net: bpf_jit: fix divide by 0 generation Greg KH
2012-02-01 20:56 ` [55/65] rds: Make rds_sock_lock BH rather than IRQ safe Greg KH
2012-02-01 20:56 ` [56/65] tcp: fix tcp_trim_head() to adjust segment count with skb MSS Greg KH
2012-02-01 20:56 ` [57/65] tcp: md5: using remote adress for md5 lookup in rst packet Greg KH
2012-02-01 20:56 ` [58/65] USB: serial: CP210x: Added USB-ID for the Link Instruments MSO-19 Greg KH
2012-02-01 20:56 ` [59/65] USB: cp210x: call generic open last in open Greg KH
2012-02-01 20:56 ` [60/65] USB: cp210x: fix CP2104 baudrate usage Greg KH
2012-02-01 20:56 ` [61/65] USB: cp210x: do not map baud rates to B0 Greg KH
2012-02-01 20:56 ` [62/65] USB: cp210x: fix up set_termios variables Greg KH
2012-02-01 20:56 ` [63/65] USB: cp210x: clean up, refactor and document speed handling Greg KH
2012-02-01 20:56 ` [64/65] USB: cp210x: initialise baud rate at open Greg KH
2012-02-01 20:56 ` [65/65] USB: cp210x: allow more baud rates above 1Mbaud Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120201205742.099348948@clark.kroah.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=jchapman@katalix.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).