Eric Lee / smarc-fsl-linux-kernel

07 Feb, 2019

3 commits

  • 3924ebe54   l2tp: fix reading optional fields of L2TPv3 ... Browse Code »

    [ Upstream commit 4522a70db7aa5e77526a4079628578599821b193 ]

    Use pskb_may_pull() to make sure the optional fields are in skb linear
    parts, so we can safely read them later.

    It's easy to reproduce the issue with a net driver that supports paged
    skb data. Just create a L2TPv3 over IP tunnel and then generates some
    network traffic.
    Once reproduced, rx err in /sys/kernel/debug/l2tp/tunnels will increase.

    Changes in v4:
    1. s/l2tp_v3_pull_opt/l2tp_v3_ensure_opt_in_linear/
    2. s/tunnel->version != L2TP_HDR_VER_2/tunnel->version == L2TP_HDR_VER_3/
    3. Add 'Fixes' in commit messages.

    Changes in v3:
    1. To keep consistency, move the code out of l2tp_recv_common.
    2. Use "net" instead of "net-next", since this is a bug fix.

    Changes in v2:
    1. Only fix L2TPv3 to make code simple.
    To fix both L2TPv3 and L2TPv2, we'd better refactor l2tp_recv_common.
    It's complicated to do so.
    2. Reloading pointers after pskb_may_pull

    Fixes: f7faffa3ff8e ("l2tp: Add L2TPv3 protocol support")
    Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
    Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
    Signed-off-by: Jacob Wen
    Acked-by: Guillaume Nault
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Jacob Wen
     
  • a12098dd9   l2tp: remove l2specific_len dependency in l2tp_core ... Browse Code »

    commit 62e7b6a57c7b9bf3c6fd99418eeec05b08a85c38 upstream.

    Remove l2specific_len dependency while building l2tpv3 header or
    parsing the received frame since default L2-Specific Sublayer is
    always four bytes long and we don't need to rely on a user supplied
    value.
    Moreover in l2tp netlink code there are no sanity checks to
    enforce the relation between l2specific_len and l2specific_type,
    so sending a malformed netlink message is possible to set
    l2specific_type to L2TP_L2SPECTYPE_DEFAULT (or even
    L2TP_L2SPECTYPE_NONE) and set l2specific_len to a value greater than
    4 leaking memory on the wire and sending corrupted frames.

    Reviewed-by: Guillaume Nault
    Tested-by: Guillaume Nault
    Signed-off-by: Lorenzo Bianconi
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Lorenzo Bianconi
     
  • 6dac61bfd   l2tp: copy 4 more bytes to linear part if necessary ... Browse Code »

    [ Upstream commit 91c524708de6207f59dd3512518d8a1c7b434ee3 ]

    The size of L2TPv2 header with all optional fields is 14 bytes.
    l2tp_udp_recv_core only moves 10 bytes to the linear part of a
    skb. This may lead to l2tp_recv_common read data outside of a skb.

    This patch make sure that there is at least 14 bytes in the linear
    part of a skb to meet the maximum need of l2tp_udp_recv_core and
    l2tp_recv_common. The minimum size of both PPP HDLC-like frame and
    Ethernet frame is larger than 14 bytes, so we are safe to do so.

    Also remove L2TP_HDR_SIZE_NOSEQ, it is unused now.

    Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
    Suggested-by: Guillaume Nault
    Signed-off-by: Jacob Wen
    Acked-by: Guillaume Nault
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Jacob Wen
     

04 Nov, 2018

1 commit

  • 5c097f55e   l2tp: remove configurable payload offset ... Browse Code »

    [ Upstream commit 900631ee6a2651dc4fbaecb8ef9fa5f1e3378853 ]

    If L2TP_ATTR_OFFSET is set to a non-zero value in L2TPv3 tunnels, it
    results in L2TPv3 packets being transmitted which might not be
    compliant with the L2TPv3 RFC. This patch has l2tp ignore the offset
    setting and send all packets with no offset.

    In more detail:

    L2TPv2 supports a variable offset from the L2TPv2 header to the
    payload. The offset value is indicated by an optional field in the
    L2TP header. Our L2TP implementation already detects the presence of
    the optional offset and skips that many bytes when handling data
    received packets. All transmitted packets are always transmitted with
    no offset.

    L2TPv3 has no optional offset field in the L2TPv3 packet
    header. Instead, L2TPv3 defines optional fields in a "Layer-2 Specific
    Sublayer". At the time when the original L2TP code was written, there
    was talk at IETF of offset being implemented in a new Layer-2 Specific
    Sublayer. A L2TP_ATTR_OFFSET netlink attribute was added so that this
    offset could be configured and the intention was to allow it to be
    also used to set the tx offset for L2TPv2. However, no L2TPv3 offset
    was ever specified and the L2TP_ATTR_OFFSET parameter was forgotten
    about.

    Setting L2TP_ATTR_OFFSET results in L2TPv3 packets being transmitted
    with the specified number of bytes padding between L2TPv3 header and
    payload. This is not compliant with L2TPv3 RFC3931. This change
    removes the configurable offset altogether while retaining
    L2TP_ATTR_OFFSET for backwards compatibility. Any L2TP_ATTR_OFFSET
    value is ignored.

    Signed-off-by: James Chapman
    Signed-off-by: David S. Miller
    Signed-off-by: Sasha Levin

    James Chapman
     

22 Aug, 2018

1 commit

  • 46be8e447   l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache ... Browse Code »

    [ Upstream commit 6d37fa49da1e8db8fb1995be22ac837ca41ac8a8 ]

    In l2tp code, if it is a L2TP_UDP_ENCAP tunnel, tunnel->sk points to a
    UDP socket. User could call sendmsg() on both this tunnel and the UDP
    socket itself concurrently. As l2tp_xmit_skb() holds socket lock and call
    __sk_dst_check() to refresh sk->sk_dst_cache, while udpv6_sendmsg() is
    lockless and call sk_dst_check() to refresh sk->sk_dst_cache, there
    could be a race and cause the dst cache to be freed multiple times.
    So we fix l2tp side code to always call sk_dst_check() to garantee
    xchg() is called when refreshing sk->sk_dst_cache to avoid race
    conditions.

    Syzkaller reported stack trace:
    BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
    BUG: KASAN: use-after-free in atomic_fetch_add_unless include/linux/atomic.h:575 [inline]
    BUG: KASAN: use-after-free in atomic_add_unless include/linux/atomic.h:597 [inline]
    BUG: KASAN: use-after-free in dst_hold_safe include/net/dst.h:308 [inline]
    BUG: KASAN: use-after-free in ip6_hold_safe+0xe6/0x670 net/ipv6/route.c:1029
    Read of size 4 at addr ffff8801aea9a880 by task syz-executor129/4829

    CPU: 0 PID: 4829 Comm: syz-executor129 Not tainted 4.18.0-rc7-next-20180802+ #30
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
    print_address_description+0x6c/0x20b mm/kasan/report.c:256
    kasan_report_error mm/kasan/report.c:354 [inline]
    kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
    check_memory_region_inline mm/kasan/kasan.c:260 [inline]
    check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
    kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
    atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
    atomic_fetch_add_unless include/linux/atomic.h:575 [inline]
    atomic_add_unless include/linux/atomic.h:597 [inline]
    dst_hold_safe include/net/dst.h:308 [inline]
    ip6_hold_safe+0xe6/0x670 net/ipv6/route.c:1029
    rt6_get_pcpu_route net/ipv6/route.c:1249 [inline]
    ip6_pol_route+0x354/0xd20 net/ipv6/route.c:1922
    ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:2098
    fib6_rule_lookup+0x283/0x890 net/ipv6/fib6_rules.c:122
    ip6_route_output_flags+0x2c5/0x350 net/ipv6/route.c:2126
    ip6_dst_lookup_tail+0x1278/0x1da0 net/ipv6/ip6_output.c:978
    ip6_dst_lookup_flow+0xc8/0x270 net/ipv6/ip6_output.c:1079
    ip6_sk_dst_lookup_flow+0x5ed/0xc50 net/ipv6/ip6_output.c:1117
    udpv6_sendmsg+0x2163/0x36b0 net/ipv6/udp.c:1354
    inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798
    sock_sendmsg_nosec net/socket.c:622 [inline]
    sock_sendmsg+0xd5/0x120 net/socket.c:632
    ___sys_sendmsg+0x51d/0x930 net/socket.c:2115
    __sys_sendmmsg+0x240/0x6f0 net/socket.c:2210
    __do_sys_sendmmsg net/socket.c:2239 [inline]
    __se_sys_sendmmsg net/socket.c:2236 [inline]
    __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2236
    do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
    entry_SYSCALL_64_after_hwframe+0x49/0xbe
    RIP: 0033:0x446a29
    Code: e8 ac b8 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007f4de5532db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
    RAX: ffffffffffffffda RBX: 00000000006dcc38 RCX: 0000000000446a29
    RDX: 00000000000000b8 RSI: 0000000020001b00 RDI: 0000000000000003
    RBP: 00000000006dcc30 R08: 00007f4de5533700 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc3c
    R13: 00007ffe2b830fdf R14: 00007f4de55339c0 R15: 0000000000000001

    Fixes: 71b1391a4128 ("l2tp: ensure sk->dst is still valid")
    Reported-by: syzbot+05f840f3b04f211bad55@syzkaller.appspotmail.com
    Signed-off-by: Wei Wang
    Signed-off-by: Martin KaFai Lau
    Cc: Guillaume Nault
    Cc: David Ahern
    Cc: Cong Wang
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Wei Wang
     

19 May, 2018

1 commit

29 Apr, 2018

1 commit

  • dbf57fd1e   l2tp: check sockaddr length in pppol2tp_connect() ... Browse Code »

    [ Upstream commit eb1c28c05894a4b1f6b56c5bf072205e64cfa280 ]

    Check sockaddr_len before dereferencing sp->sa_protocol, to ensure that
    it actually points to valid data.

    Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
    Reported-by: syzbot+a70ac890b23b1bf29f5c@syzkaller.appspotmail.com
    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Guillaume Nault
     

12 Apr, 2018

1 commit

  • ab4ac0fc4   l2tp: fix missing print session offset info ... Browse Code »

    [ Upstream commit 820da5357572715c6235ba3b3daa2d5b43a1198f ]

    Report offset parameter in L2TP_CMD_SESSION_GET command if
    it has been configured by userspace

    Fixes: 309795f4bec ("l2tp: Add netlink control API for L2TP")
    Reported-by: Jianlin Shi
    Signed-off-by: Hangbin Liu
    Signed-off-by: Lorenzo Bianconi
    Signed-off-by: David S. Miller
    Signed-off-by: Sasha Levin
    Signed-off-by: Greg Kroah-Hartman

    Hangbin Liu
     

08 Apr, 2018

1 commit

  • b0850604c   l2tp: fix races with ipv4-mapped ipv6 addresses ... Browse Code »

    commit b954f94023dcc61388c8384f0f14eb8e42c863c5 upstream.

    The l2tp_tunnel_create() function checks for v4mapped ipv6
    sockets and cache that flag, so that l2tp core code can
    reusing it at xmit time.

    If the socket is provided by the userspace, the connection
    status of the tunnel sockets can change between the tunnel
    creation and the xmit call, so that syzbot is able to
    trigger the following splat:

    BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:192
    [inline]
    BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
    net/ipv6/ip6_output.c:264
    Read of size 8 at addr ffff8801bd949318 by task syz-executor4/23448

    CPU: 0 PID: 23448 Comm: syz-executor4 Not tainted 4.16.0-rc4+ #65
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
    Google 01/01/2011
    Call Trace:
    __dump_stack lib/dump_stack.c:17 [inline]
    dump_stack+0x194/0x24d lib/dump_stack.c:53
    print_address_description+0x73/0x250 mm/kasan/report.c:256
    kasan_report_error mm/kasan/report.c:354 [inline]
    kasan_report+0x23c/0x360 mm/kasan/report.c:412
    __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
    ip6_dst_idev include/net/ip6_fib.h:192 [inline]
    ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
    inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
    l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline]
    l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148
    pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341
    sock_sendmsg_nosec net/socket.c:630 [inline]
    sock_sendmsg+0xca/0x110 net/socket.c:640
    ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
    __sys_sendmsg+0xe5/0x210 net/socket.c:2080
    SYSC_sendmsg net/socket.c:2091 [inline]
    SyS_sendmsg+0x2d/0x50 net/socket.c:2087
    do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
    entry_SYSCALL_64_after_hwframe+0x42/0xb7
    RIP: 0033:0x453e69
    RSP: 002b:00007f819593cc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    RAX: ffffffffffffffda RBX: 00007f819593d6d4 RCX: 0000000000453e69
    RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
    RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
    R13: 00000000000004c3 R14: 00000000006f72e8 R15: 0000000000000000

    This change addresses the issues:
    * explicitly checking for TCP_ESTABLISHED for user space provided sockets
    * dropping the v4mapped flag usage - it can become outdated - and
    explicitly invoking ipv6_addr_v4mapped() instead

    The issue is apparently there since ancient times.

    v1 -> v2: (many thanks to Guillaume)
    - with csum issue introduced in v1
    - replace pr_err with pr_debug
    - fix build issue with IPV6 disabled
    - move l2tp_sk_is_v4mapped in l2tp_core.c

    v2 -> v3:
    - don't update inet_daddr for v4mapped address, unneeded
    - drop rendundant check at creation time

    Reported-and-tested-by: syzbot+92fa328176eb07e4ac1a@syzkaller.appspotmail.com
    Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
    Signed-off-by: Paolo Abeni
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Paolo Abeni
     

01 Apr, 2018

1 commit

  • 2d5b0ed04   l2tp: do not accept arbitrary sockets ... Browse Code »

    [ Upstream commit 17cfe79a65f98abe535261856c5aef14f306dff7 ]

    syzkaller found an issue caused by lack of sufficient checks
    in l2tp_tunnel_create()

    RAW sockets can not be considered as UDP ones for instance.

    In another patch, we shall replace all pr_err() by less intrusive
    pr_debug() so that syzkaller can find other bugs faster.
    Acked-by: Guillaume Nault
    Acked-by: James Chapman

    ==================================================================
    BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
    dst_release: dst:00000000d53d0d0f refcnt:-1
    Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242

    CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #253
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
    __dump_stack lib/dump_stack.c:17 [inline]
    dump_stack+0x194/0x24d lib/dump_stack.c:53
    print_address_description+0x73/0x250 mm/kasan/report.c:256
    kasan_report_error mm/kasan/report.c:354 [inline]
    kasan_report+0x23b/0x360 mm/kasan/report.c:412
    __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
    setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
    l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
    pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
    SYSC_connect+0x213/0x4a0 net/socket.c:1640
    SyS_connect+0x24/0x30 net/socket.c:1621
    do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
    entry_SYSCALL_64_after_hwframe+0x42/0xb7

    Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
    Signed-off-by: Eric Dumazet
    Reported-by: syzbot
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Eric Dumazet
     

20 Dec, 2017

1 commit

  • ff62605e0   l2tp: cleanup l2tp_tunnel_delete calls ... Browse Code »

    [ Upstream commit 4dc12ffeaeac939097a3f55c881d3dc3523dff0c ]

    l2tp_tunnel_delete does not return anything since commit 62b982eeb458
    ("l2tp: fix race condition in l2tp_tunnel_delete"). But call sites of
    l2tp_tunnel_delete still do casts to void to avoid unused return value
    warnings.

    Kill these now useless casts.

    Signed-off-by: Jiri Slaby
    Cc: Sabrina Dubroca
    Cc: Guillaume Nault
    Cc: David S. Miller
    Cc: netdev@vger.kernel.org
    Acked-by: Guillaume Nault
    Signed-off-by: David S. Miller
    Signed-off-by: Sasha Levin
    Signed-off-by: Greg Kroah-Hartman

    Jiri Slaby
     

05 Nov, 2017

1 commit

  • 8f7dc9ae4   l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6 ... Browse Code »

    Using l2tp_tunnel_find() in l2tp_ip_recv() is wrong for two reasons:

    * It doesn't take a reference on the returned tunnel, which makes the
    call racy wrt. concurrent tunnel deletion.

    * The lookup is only based on the tunnel identifier, so it can return
    a tunnel that doesn't match the packet's addresses or protocol.

    For example, a packet sent to an L2TPv3 over IPv6 tunnel can be
    delivered to an L2TPv2 over UDPv4 tunnel. This is worse than a simple
    cross-talk: when delivering the packet to an L2TP over UDP tunnel, the
    corresponding socket is UDP, where ->sk_backlog_rcv() is NULL. Calling
    sk_receive_skb() will then crash the kernel by trying to execute this
    callback.

    And l2tp_tunnel_find() isn't even needed here. __l2tp_ip_bind_lookup()
    properly checks the socket binding and connection settings. It was used
    as a fallback mechanism for finding tunnels that didn't have their data
    path registered yet. But it's not limited to this case and can be used
    to replace l2tp_tunnel_find() in the general case.

    Fix l2tp_ip6 in the same way.

    Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
    Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     

03 Nov, 2017

1 commit

  • ead751507   Merge tag 'spdx_identifiers-4.14-rc8' of git://git.kernel.org/pub/scm/linux/kern… ... Browse Code »

    …el/git/gregkh/driver-core

    Pull initial SPDX identifiers from Greg KH:
    "License cleanup: add SPDX license identifiers to some files

    Many source files in the tree are missing licensing information, which
    makes it harder for compliance tools to determine the correct license.

    By default all files without license information are under the default
    license of the kernel, which is GPL version 2.

    Update the files which contain no license information with the
    'GPL-2.0' SPDX license identifier. The SPDX identifier is a legally
    binding shorthand, which can be used instead of the full boiler plate
    text.

    This patch is based on work done by Thomas Gleixner and Kate Stewart
    and Philippe Ombredanne.

    How this work was done:

    Patches were generated and checked against linux-4.14-rc6 for a subset
    of the use cases:

    - file had no licensing information it it.

    - file was a */uapi/* one with no licensing information in it,

    - file was a */uapi/* one with existing licensing information,

    Further patches will be generated in subsequent months to fix up cases
    where non-standard license headers were used, and references to
    license had to be inferred by heuristics based on keywords.

    The analysis to determine which SPDX License Identifier to be applied
    to a file was done in a spreadsheet of side by side results from of
    the output of two independent scanners (ScanCode & Windriver)
    producing SPDX tag:value files created by Philippe Ombredanne.
    Philippe prepared the base worksheet, and did an initial spot review
    of a few 1000 files.

    The 4.13 kernel was the starting point of the analysis with 60,537
    files assessed. Kate Stewart did a file by file comparison of the
    scanner results in the spreadsheet to determine which SPDX license
    identifier(s) to be applied to the file. She confirmed any
    determination that was not immediately clear with lawyers working with
    the Linux Foundation.

    Criteria used to select files for SPDX license identifier tagging was:

    - Files considered eligible had to be source code files.

    - Make and config files were included as candidates if they contained
    >5 lines of source

    - File already had some variant of a license header in it (even if <5
    lines).

    All documentation files were explicitly excluded.

    The following heuristics were used to determine which SPDX license
    identifiers to apply.

    - when both scanners couldn't find any license traces, file was
    considered to have no license information in it, and the top level
    COPYING file license applied.

    For non */uapi/* files that summary was:

    SPDX license identifier # files
    ---------------------------------------------------|-------
    GPL-2.0 11139

    and resulted in the first patch in this series.

    If that file was a */uapi/* path one, it was "GPL-2.0 WITH
    Linux-syscall-note" otherwise it was "GPL-2.0". Results of that
    was:

    SPDX license identifier # files
    ---------------------------------------------------|-------
    GPL-2.0 WITH Linux-syscall-note 930

    and resulted in the second patch in this series.

    - if a file had some form of licensing information in it, and was one
    of the */uapi/* ones, it was denoted with the Linux-syscall-note if
    any GPL family license was found in the file or had no licensing in
    it (per prior point). Results summary:

    SPDX license identifier # files
    ---------------------------------------------------|------
    GPL-2.0 WITH Linux-syscall-note 270
    GPL-2.0+ WITH Linux-syscall-note 169
    ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
    ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
    LGPL-2.1+ WITH Linux-syscall-note 15
    GPL-1.0+ WITH Linux-syscall-note 14
    ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
    LGPL-2.0+ WITH Linux-syscall-note 4
    LGPL-2.1 WITH Linux-syscall-note 3
    ((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
    ((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1

    and that resulted in the third patch in this series.

    - when the two scanners agreed on the detected license(s), that
    became the concluded license(s).

    - when there was disagreement between the two scanners (one detected
    a license but the other didn't, or they both detected different
    licenses) a manual inspection of the file occurred.

    - In most cases a manual inspection of the information in the file
    resulted in a clear resolution of the license that should apply
    (and which scanner probably needed to revisit its heuristics).

    - When it was not immediately clear, the license identifier was
    confirmed with lawyers working with the Linux Foundation.

    - If there was any question as to the appropriate license identifier,
    the file was flagged for further research and to be revisited later
    in time.

    In total, over 70 hours of logged manual review was done on the
    spreadsheet to determine the SPDX license identifiers to apply to the
    source files by Kate, Philippe, Thomas and, in some cases,
    confirmation by lawyers working with the Linux Foundation.

    Kate also obtained a third independent scan of the 4.13 code base from
    FOSSology, and compared selected files where the other two scanners
    disagreed against that SPDX file, to see if there was new insights.
    The Windriver scanner is based on an older version of FOSSology in
    part, so they are related.

    Thomas did random spot checks in about 500 files from the spreadsheets
    for the uapi headers and agreed with SPDX license identifier in the
    files he inspected. For the non-uapi files Thomas did random spot
    checks in about 15000 files.

    In initial set of patches against 4.14-rc6, 3 files were found to have
    copy/paste license identifier errors, and have been fixed to reflect
    the correct identifier.

    Additionally Philippe spent 10 hours this week doing a detailed manual
    inspection and review of the 12,461 patched files from the initial
    patch version early this week with:

    - a full scancode scan run, collecting the matched texts, detected
    license ids and scores

    - reviewing anything where there was a license detected (about 500+
    files) to ensure that the applied SPDX license was correct

    - reviewing anything where there was no detection but the patch
    license was not GPL-2.0 WITH Linux-syscall-note to ensure that the
    applied SPDX license was correct

    This produced a worksheet with 20 files needing minor correction. This
    worksheet was then exported into 3 different .csv files for the
    different types of files to be modified.

    These .csv files were then reviewed by Greg. Thomas wrote a script to
    parse the csv files and add the proper SPDX tag to the file, in the
    format that the file expected. This script was further refined by Greg
    based on the output to detect more types of files automatically and to
    distinguish between header and source .c files (which need different
    comment types.) Finally Greg ran the script using the .csv files to
    generate the patches.

    Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
    Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
    Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"

    * tag 'spdx_identifiers-4.14-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
    License cleanup: add SPDX license identifier to uapi header files with a license
    License cleanup: add SPDX license identifier to uapi header files with no license
    License cleanup: add SPDX GPL-2.0 license identifier to files with no license

    Linus Torvalds
     

02 Nov, 2017

1 commit

  • b24413180   License cleanup: add SPDX GPL-2.0 license identifier to files with no license ... Browse Code »

    Many source files in the tree are missing licensing information, which
    makes it harder for compliance tools to determine the correct license.

    By default all files without license information are under the default
    license of the kernel, which is GPL version 2.

    Update the files which contain no license information with the 'GPL-2.0'
    SPDX license identifier. The SPDX identifier is a legally binding
    shorthand, which can be used instead of the full boiler plate text.

    This patch is based on work done by Thomas Gleixner and Kate Stewart and
    Philippe Ombredanne.

    How this work was done:

    Patches were generated and checked against linux-4.14-rc6 for a subset of
    the use cases:
    - file had no licensing information it it.
    - file was a */uapi/* one with no licensing information in it,
    - file was a */uapi/* one with existing licensing information,

    Further patches will be generated in subsequent months to fix up cases
    where non-standard license headers were used, and references to license
    had to be inferred by heuristics based on keywords.

    The analysis to determine which SPDX License Identifier to be applied to
    a file was done in a spreadsheet of side by side results from of the
    output of two independent scanners (ScanCode & Windriver) producing SPDX
    tag:value files created by Philippe Ombredanne. Philippe prepared the
    base worksheet, and did an initial spot review of a few 1000 files.

    The 4.13 kernel was the starting point of the analysis with 60,537 files
    assessed. Kate Stewart did a file by file comparison of the scanner
    results in the spreadsheet to determine which SPDX license identifier(s)
    to be applied to the file. She confirmed any determination that was not
    immediately clear with lawyers working with the Linux Foundation.

    Criteria used to select files for SPDX license identifier tagging was:
    - Files considered eligible had to be source code files.
    - Make and config files were included as candidates if they contained >5
    lines of source
    - File already had some variant of a license header in it (even if
    Reviewed-by: Philippe Ombredanne
    Reviewed-by: Thomas Gleixner
    Signed-off-by: Greg Kroah-Hartman

    Greg Kroah-Hartman
     

31 Oct, 2017

1 commit

  • f9e56baf0   l2tp: hold tunnel in pppol2tp_connect() ... Browse Code »

    Use l2tp_tunnel_get() in pppol2tp_connect() to ensure the tunnel isn't
    going to disappear while processing the rest of the function.

    Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     

15 Oct, 2017

1 commit

  • 5903f5949   l2tp: check ps->sock before running pppol2tp_session_ioctl() ... Browse Code »

    When pppol2tp_session_ioctl() is called by pppol2tp_tunnel_ioctl(),
    the session may be unconnected. That is, it was created by
    pppol2tp_session_create() and hasn't been connected with
    pppol2tp_connect(). In this case, ps->sock is NULL, so we need to check
    for this case in order to avoid dereferencing a NULL pointer.

    Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     

02 Oct, 2017

1 commit

  • 9f775ead5   l2tp: fix l2tp_eth module loading ... Browse Code »

    The l2tp_eth module crashes if its netlink callbacks are run when the
    pernet data aren't initialised.

    We should normally register_pernet_device() before the genl callbacks.
    However, the pernet data only maintain a list of l2tpeth interfaces,
    and this list is never used. So let's just drop pernet handling
    instead.

    Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     

27 Sep, 2017

1 commit

  • 62b982eeb   l2tp: fix race condition in l2tp_tunnel_delete ... Browse Code »

    If we try to delete the same tunnel twice, the first delete operation
    does a lookup (l2tp_tunnel_get), finds the tunnel, calls
    l2tp_tunnel_delete, which queues it for deletion by
    l2tp_tunnel_del_work.

    The second delete operation also finds the tunnel and calls
    l2tp_tunnel_delete. If the workqueue has already fired and started
    running l2tp_tunnel_del_work, then l2tp_tunnel_delete will queue the
    same tunnel a second time, and try to free the socket again.

    Add a dead flag to prevent firing the workqueue twice. Then we can
    remove the check of queue_work's result that was meant to prevent that
    race but doesn't.

    Reproducer:

    ip l2tp add tunnel tunnel_id 3000 peer_tunnel_id 4000 local 192.168.0.2 remote 192.168.0.1 encap udp udp_sport 5000 udp_dport 6000
    ip l2tp add session name l2tp1 tunnel_id 3000 session_id 1000 peer_session_id 2000
    ip link set l2tp1 up
    ip l2tp del tunnel tunnel_id 3000
    ip l2tp del tunnel tunnel_id 3000

    Fixes: f8ccac0e4493 ("l2tp: put tunnel socket release on a workqueue")
    Reported-by: Jianlin Shi
    Signed-off-by: Sabrina Dubroca
    Acked-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Sabrina Dubroca
     

26 Sep, 2017

2 commits

  • b228a9406   l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall() ... Browse Code »

    There are several ways to remove L2TP sessions:

    * deleting a session explicitly using the netlink interface (with
    L2TP_CMD_SESSION_DELETE),
    * deleting the session's parent tunnel (either by closing the
    tunnel's file descriptor or using the netlink interface),
    * closing the PPPOL2TP file descriptor of a PPP pseudo-wire.

    In some cases, when these methods are used concurrently on the same
    session, the session can be removed twice, leading to use-after-free
    bugs.

    This patch adds a 'dead' flag, used by l2tp_session_delete() and
    l2tp_tunnel_closeall() to prevent them from stepping on each other's
    toes.

    The session deletion path used when closing a PPPOL2TP file descriptor
    doesn't need to be adapted. It already has to ensure that a session
    remains valid for the lifetime of its PPPOL2TP file descriptor.
    So it takes an extra reference on the session in the ->session_close()
    callback (pppol2tp_session_close()), which is eventually dropped
    in the ->sk_destruct() callback of the PPPOL2TP socket
    (pppol2tp_session_destruct()).
    Still, __l2tp_session_unhash() and l2tp_session_queue_purge() can be
    called twice and even concurrently for a given session, but thanks to
    proper locking and re-initialisation of list fields, this is not an
    issue.

    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     
  • cdd10c962   l2tp: ensure sessions are freed after their PPPOL2TP socket ... Browse Code »

    If l2tp_tunnel_delete() or l2tp_tunnel_closeall() deletes a session
    right after pppol2tp_release() orphaned its socket, then the 'sock'
    variable of the pppol2tp_session_close() callback is NULL. Yet the
    session is still used by pppol2tp_release().

    Therefore we need to take an extra reference in any case, to prevent
    l2tp_tunnel_delete() or l2tp_tunnel_closeall() from freeing the session.

    Since the pppol2tp_session_close() callback is only set if the session
    is associated to a PPPOL2TP socket and that both l2tp_tunnel_delete()
    and l2tp_tunnel_closeall() hold the PPPOL2TP socket before calling
    pppol2tp_session_close(), we're sure that pppol2tp_session_close() and
    pppol2tp_session_destruct() are paired and called in the right order.
    So the reference taken by the former will be released by the later.

    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     

04 Sep, 2017

2 commits

  • f026bc29a   l2tp: pass tunnel pointer to ->session_create() ... Browse Code »

    Using l2tp_tunnel_find() in pppol2tp_session_create() and
    l2tp_eth_create() is racy, because no reference is held on the
    returned session. These functions are only used to implement the
    ->session_create callback which is run by l2tp_nl_cmd_session_create().
    Therefore searching for the parent tunnel isn't necessary because
    l2tp_nl_cmd_session_create() already has a pointer to it and holds a
    reference.

    This patch modifies ->session_create()'s prototype to directly pass the
    the parent tunnel as parameter, thus avoiding searching for it in
    pppol2tp_session_create() and l2tp_eth_create().

    Since we have to touch the ->session_create() call in
    l2tp_nl_cmd_session_create(), let's also remove the useless conditional:
    we know that ->session_create isn't NULL at this point because it's
    already been checked earlier in this same function.

    Finally, one might be tempted to think that the removed
    l2tp_tunnel_find() calls were harmless because they would return the
    same tunnel as the one held by l2tp_nl_cmd_session_create() anyway.
    But that tunnel might be removed and a new one created with same tunnel
    Id before the l2tp_tunnel_find() call. In this case l2tp_tunnel_find()
    would return the new tunnel which wouldn't be protected by the
    reference held by l2tp_nl_cmd_session_create().

    Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
    Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     
  • f3c66d4e1   l2tp: prevent creation of sessions on terminated tunnels ... Browse Code »

    l2tp_tunnel_destruct() sets tunnel->sock to NULL, then removes the
    tunnel from the pernet list and finally closes all its sessions.
    Therefore, it's possible to add a session to a tunnel that is still
    reachable, but for which tunnel->sock has already been reset. This can
    make l2tp_session_create() dereference a NULL pointer when calling
    sock_hold(tunnel->sock).

    This patch adds the .acpt_newsess field to struct l2tp_tunnel, which is
    used by l2tp_tunnel_closeall() to prevent addition of new sessions to
    tunnels. Resetting tunnel->sock is done after l2tp_tunnel_closeall()
    returned, so that l2tp_session_add_to_tunnel() can safely take a
    reference on it when .acpt_newsess is true.

    The .acpt_newsess field is modified in l2tp_tunnel_closeall(), rather
    than in l2tp_tunnel_destruct(), so that it benefits all tunnel removal
    mechanisms. E.g. on UDP tunnels, a session could be added to a tunnel
    after l2tp_udp_encap_destroy() proceeded. This would prevent the tunnel
    from being removed because of the references held by this new session
    on the tunnel and its socket. Even though the session could be removed
    manually later on, this defeats the purpose of
    commit 9980d001cec8 ("l2tp: add udp encap socket destroy handler").

    Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     

29 Aug, 2017

6 commits

  • e702c1204   l2tp: hold tunnel used while creating sessions with netlink ... Browse Code »

    Use l2tp_tunnel_get() to retrieve tunnel, so that it can't go away on
    us. Otherwise l2tp_tunnel_destruct() might release the last reference
    count concurrently, thus freeing the tunnel while we're using it.

    Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     
  • 4e4b21da3   l2tp: hold tunnel while handling genl TUNNEL_GET commands ... Browse Code »

    Use l2tp_tunnel_get() instead of l2tp_tunnel_find() so that we get
    a reference on the tunnel, preventing l2tp_tunnel_destruct() from
    freeing it from under us.

    Also move l2tp_tunnel_get() below nlmsg_new() so that we only take
    the reference when needed.

    Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     
  • 8c0e42152   l2tp: hold tunnel while handling genl tunnel updates ... Browse Code »

    We need to make sure the tunnel is not going to be destroyed by
    l2tp_tunnel_destruct() concurrently.

    Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     
  • bb0a32ce4   l2tp: hold tunnel while processing genl delete command ... Browse Code »

    l2tp_nl_cmd_tunnel_delete() needs to take a reference on the tunnel, to
    prevent it from being concurrently freed by l2tp_tunnel_destruct().

    Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     
  • 54652eb12   l2tp: hold tunnel while looking up sessions in l2tp_netlink ... Browse Code »

    l2tp_tunnel_find() doesn't take a reference on the returned tunnel.
    Therefore, it's unsafe to use it because the returned tunnel can go
    away on us anytime.

    Fix this by defining l2tp_tunnel_get(), which works like
    l2tp_tunnel_find(), but takes a reference on the returned tunnel.
    Caller then has to drop this reference using l2tp_tunnel_dec_refcount().

    As l2tp_tunnel_dec_refcount() needs to be moved to l2tp_core.h, let's
    simplify the patch and not move the L2TP_REFCNT_DEBUG part. This code
    has been broken (not even compiling) in May 2012 by
    commit a4ca44fa578c ("net: l2tp: Standardize logging styles")
    and fixed more than two years later by
    commit 29abe2fda54f ("l2tp: fix missing line continuation"). So it
    doesn't appear to be used by anyone.

    Same thing for l2tp_tunnel_free(); instead of moving it to l2tp_core.h,
    let's just simplify things and call kfree_rcu() directly in
    l2tp_tunnel_dec_refcount(). Extra assertions and debugging code
    provided by l2tp_tunnel_free() didn't help catching any of the
    reference counting and socket handling issues found while working on
    this series.

    Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     
  • 9ee369a40   l2tp: initialise session's refcount before making it reachable ... Browse Code »

    Sessions must be fully initialised before calling
    l2tp_session_add_to_tunnel(). Otherwise, there's a short time frame
    where partially initialised sessions can be accessed by external users.

    Fixes: dbdbc73b4478 ("l2tp: fix duplicate session creation")
    Signed-off-by: Guillaume Nault
    Signed-off-by: David S. Miller

    Guillaume Nault
     

05 Jul, 2017

2 commits

01 Jul, 2017

1 commit

  • 41c6d650f   net: convert sock.sk_refcnt from atomic_t to refcount_t ... Browse Code »

    refcount_t type and corresponding API should be
    used instead of atomic_t when the variable is used as
    a reference counter. This allows to avoid accidental
    refcounter overflows that might lead to use-after-free
    situations.

    This patch uses refcount_inc_not_zero() instead of
    atomic_inc_not_zero_hint() due to absense of a _hint()
    version of refcount API. If the hint() version must
    be used, we might need to revisit API.

    Signed-off-by: Elena Reshetova
    Signed-off-by: Hans Liljestrand
    Signed-off-by: Kees Cook
    Signed-off-by: David Windsor
    Signed-off-by: David S. Miller

    Reshetova, Elena
     

11 Jun, 2017

1 commit

  • 9b3dc0a17   l2tp: cast l2tp traffic counter to unsigned ... Browse Code »

    This fixes a counter problem on 32bit systems:
    When the rx_bytes counter reached 2 GiB, it jumpd to (2^64 Bytes - 2GiB) Bytes.

    rtnl_link_stats64 has __u64 type and atomic_long_read returns
    atomic_long_t which is signed. Due to the conversation
    we get an incorrect value on 32bit systems if the MSB of
    the atomic_long_t value is set.

    CC: Tom Parkin
    Fixes: 7b7c0719cd7a ("l2tp: avoid deadlock in l2tp stats update")
    Signed-off-by: Dominik Heidler
    Signed-off-by: David S. Miller

    Dominik Heidler
     

08 Jun, 2017

1 commit

  • cf124db56   net: Fix inconsistent teardown and release of private netdev state. ... Browse Code »

    Network devices can allocate reasources and private memory using
    netdev_ops->ndo_init(). However, the release of these resources
    can occur in one of two different places.

    Either netdev_ops->ndo_uninit() or netdev->destructor().

    The decision of which operation frees the resources depends upon
    whether it is necessary for all netdev refs to be released before it
    is safe to perform the freeing.

    netdev_ops->ndo_uninit() presumably can occur right after the
    NETDEV_UNREGISTER notifier completes and the unicast and multicast
    address lists are flushed.

    netdev->destructor(), on the other hand, does not run until the
    netdev references all go away.

    Further complicating the situation is that netdev->destructor()
    almost universally does also a free_netdev().

    This creates a problem for the logic in register_netdevice().
    Because all callers of register_netdevice() manage the freeing
    of the netdev, and invoke free_netdev(dev) if register_netdevice()
    fails.

    If netdev_ops->ndo_init() succeeds, but something else fails inside
    of register_netdevice(), it does call ndo_ops->ndo_uninit(). But
    it is not able to invoke netdev->destructor().

    This is because netdev->destructor() will do a free_netdev() and
    then the caller of register_netdevice() will do the same.

    However, this means that the resources that would normally be released
    by netdev->destructor() will not be.

    Over the years drivers have added local hacks to deal with this, by
    invoking their destructor parts by hand when register_netdevice()
    fails.

    Many drivers do not try to deal with this, and instead we have leaks.

    Let's close this hole by formalizing the distinction between what
    private things need to be freed up by netdev->destructor() and whether
    the driver needs unregister_netdevice() to perform the free_netdev().

    netdev->priv_destructor() performs all actions to free up the private
    resources that used to be freed by netdev->destructor(), except for
    free_netdev().

    netdev->needs_free_netdev is a boolean that indicates whether
    free_netdev() should be done at the end of unregister_netdevice().

    Now, register_netdevice() can sanely release all resources after
    ndo_ops->ndo_init() succeeds, by invoking both ndo_ops->ndo_uninit()
    and netdev->priv_destructor().

    And at the end of unregister_netdevice(), we invoke
    netdev->priv_destructor() and optionally call free_netdev().

    Signed-off-by: David S. Miller

    David S. Miller
     

28 Apr, 2017

1 commit

25 Apr, 2017

2 commits

18 Apr, 2017

1 commit

  • 57240d007   l2tp: device MTU setup, tunnel socket needs a lock ... Browse Code »

    The MTU overhead calculation in L2TP device set-up
    merged via commit b784e7ebfce8cfb16c6f95e14e8532d0768ab7ff
    needs to be adjusted to lock the tunnel socket while
    referencing the sub-data structures to derive the
    socket's IP overhead.

    Reported-by: Guillaume Nault
    Tested-by: Guillaume Nault
    Signed-off-by: R. Parameswaran
    Signed-off-by: David S. Miller

    R. Parameswaran
     

16 Apr, 2017

1 commit

12 Apr, 2017

2 commits