<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/stable/linux.git/net/l2tp, branch linux-5.18.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-5.18.y</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-5.18.y'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/'/>
<updated>2022-06-22T12:28:02+00:00</updated>
<entry>
<title>net: remove noblock parameter from skb_recv_datagram()</title>
<updated>2022-06-22T12:28:02+00:00</updated>
<author>
<name>Oliver Hartkopp</name>
<email>socketcan@hartkopp.net</email>
</author>
<published>2022-04-04T16:30:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f77cde4a269dea384b440dd8caeb616a57ac85d6'/>
<id>urn:sha1:f77cde4a269dea384b440dd8caeb616a57ac85d6</id>
<content type='text'>
[ Upstream commit f4b41f062c424209e3939a81e6da022e049a45f2 ]

skb_recv_datagram() has two parameters 'flags' and 'noblock' that are
merged inside skb_recv_datagram() by 'flags | (noblock ? MSG_DONTWAIT : 0)'

As 'flags' may contain MSG_DONTWAIT as value most callers split the 'flags'
into 'flags' and 'noblock' with finally obsolete bit operations like this:

skb_recv_datagram(sk, flags &amp; ~MSG_DONTWAIT, flags &amp; MSG_DONTWAIT, &amp;rc);

And this is not even done consistently with the 'flags' parameter.

This patch removes the obsolete and costly splitting into two parameters
and only performs bit operations when really needed on the caller side.

One missing conversion thankfully reported by kernel test robot. I missed
to enable kunit tests to build the mctp code.

Reported-by: kernel test robot &lt;lkp@intel.com&gt;
Signed-off-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg</title>
<updated>2022-06-22T12:27:54+00:00</updated>
<author>
<name>Wang Yufen</name>
<email>wangyufen@huawei.com</email>
</author>
<published>2022-06-07T12:00:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=034246122f5c5e2e2a0b9fe04e24517920e9beb1'/>
<id>urn:sha1:034246122f5c5e2e2a0b9fe04e24517920e9beb1</id>
<content type='text'>
[ Upstream commit f638a84afef3dfe10554c51820c16e39a278c915 ]

When len &gt;= INT_MAX - transhdrlen, ulen = len + transhdrlen will be
overflow. To fix, we can follow what udpv6 does and subtract the
transhdrlen from the max.

Signed-off-by: Wang Yufen &lt;wangyufen@huawei.com&gt;
Link: https://lore.kernel.org/r/20220607120028.845916-2-wangyufen@huawei.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>l2tp: add netns refcount tracker to l2tp_dfs_seq_data</title>
<updated>2021-12-10T14:38:27+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2021-12-10T07:44:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=285ec2fef4b87ba26400658b003ca9c76278d960'/>
<id>urn:sha1:285ec2fef4b87ba26400658b003ca9c76278d960</id>
<content type='text'>
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>net/l2tp: convert tunnel rwlock_t to rcu</title>
<updated>2021-11-29T12:11:25+00:00</updated>
<author>
<name>Tom Parkin</name>
<email>tparkin@katalix.com</email>
</author>
<published>2021-11-26T16:09:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=07b8ca3792dec6bc3288b08ff85d80b5330de1d6'/>
<id>urn:sha1:07b8ca3792dec6bc3288b08ff85d80b5330de1d6</id>
<content type='text'>
Previously commit e02d494d2c60 ("l2tp: Convert rwlock to RCU") converted
most, but not all, rwlock instances in the l2tp subsystem to RCU.

The remaining rwlock protects the per-tunnel hashlist of sessions which
is used for session lookups in the UDP-encap data path.

Convert the remaining rwlock to rcu to improve performance of UDP-encap
tunnels.

Note that the tunnel and session, which both live on RCU-protected
lists, use slightly different approaches to incrementing their refcounts
in the various getter functions.

The tunnel has to use refcount_inc_not_zero because the tunnel shutdown
process involves dropping the refcount to zero prior to synchronizing
RCU readers (via. kfree_rcu).

By contrast, the session shutdown removes the session from the list(s)
it is on, synchronizes with readers, and then decrements the session
refcount.  Since the getter functions increment the session refcount
with the RCU read lock held we prevent getters seeing a zero session
refcount, and therefore don't need to use refcount_inc_not_zero.

Signed-off-by: Tom Parkin &lt;tparkin@katalix.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>net/l2tp: Fix reference count leak in l2tp_udp_recv_core</title>
<updated>2021-09-09T10:00:20+00:00</updated>
<author>
<name>Xiyu Yang</name>
<email>xiyuyang19@fudan.edu.cn</email>
</author>
<published>2021-09-09T04:32:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9b6ff7eb666415e1558f1ba8a742f5db6a9954de'/>
<id>urn:sha1:9b6ff7eb666415e1558f1ba8a742f5db6a9954de</id>
<content type='text'>
The reference count leak issue may take place in an error handling
path. If both conditions of tunnel-&gt;version == L2TP_HDR_VER_3 and the
return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function
would directly jump to label invalid, without decrementing the reference
count of the l2tp_session object session increased earlier by
l2tp_tunnel_get_session(). This may result in refcount leaks.

Fix this issue by decrease the reference count before jumping to the
label invalid.

Fixes: 4522a70db7aa ("l2tp: fix reading optional fields of L2TPv3")
Signed-off-by: Xiyu Yang &lt;xiyuyang19@fudan.edu.cn&gt;
Signed-off-by: Xin Xiong &lt;xiongx18@fudan.edu.cn&gt;
Signed-off-by: Xin Tan &lt;tanxin.ctf@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>l2tp: Fix spelling mistakes</title>
<updated>2021-06-07T21:08:30+00:00</updated>
<author>
<name>Zheng Yongjun</name>
<email>zhengyongjun3@huawei.com</email>
</author>
<published>2021-06-07T15:01:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7f553ff214105f49e973187488ff93ff9c56b0c8'/>
<id>urn:sha1:7f553ff214105f49e973187488ff93ff9c56b0c8</id>
<content type='text'>
Fix some spelling mistakes in comments:
negociated  ==&gt; negotiated
dont  ==&gt; don't

Signed-off-by: Zheng Yongjun &lt;zhengyongjun3@huawei.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>net: Remove the member netns_ok</title>
<updated>2021-05-17T22:29:35+00:00</updated>
<author>
<name>Yejune Deng</name>
<email>yejune.deng@gmail.com</email>
</author>
<published>2021-05-17T12:22:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5796254e467bf1cff002df65fbb53ecef6a0e060'/>
<id>urn:sha1:5796254e467bf1cff002df65fbb53ecef6a0e060</id>
<content type='text'>
Every protocol has the 'netns_ok' member and it is euqal to 1. The
'if (!prot-&gt;netns_ok)' always false in inet_add_protocol().

Signed-off-by: Yejune Deng &lt;yejunedeng@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>net: fix a concurrency bug in l2tp_tunnel_register()</title>
<updated>2021-04-27T21:23:13+00:00</updated>
<author>
<name>Gong, Sishuai</name>
<email>sishuai@purdue.edu</email>
</author>
<published>2021-04-27T15:04:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=69e16d01d1de4f1249869de342915f608feb55d5'/>
<id>urn:sha1:69e16d01d1de4f1249869de342915f608feb55d5</id>
<content type='text'>
l2tp_tunnel_register() registers a tunnel without fully
initializing its attribute. This can allow another kernel thread
running l2tp_xmit_core() to access the uninitialized data and
then cause a kernel NULL pointer dereference error, as shown below.

Thread 1    Thread 2
//l2tp_tunnel_register()
list_add_rcu(&amp;tunnel-&gt;list, &amp;pn-&gt;l2tp_tunnel_list);
           //pppol2tp_connect()
           tunnel = l2tp_tunnel_get(sock_net(sk), info.tunnel_id);
           // Fetch the new tunnel
           ...
           //l2tp_xmit_core()
           struct sock *sk = tunnel-&gt;sock;
           ...
           bh_lock_sock(sk);
           //Null pointer error happens
tunnel-&gt;sock = sk;

Fix this bug by initializing tunnel-&gt;sock before adding the
tunnel into l2tp_tunnel_list.

Reviewed-by: Cong Wang &lt;cong.wang@bytedance.com&gt;
Signed-off-by: Sishuai Gong &lt;sishuai@purdue.edu&gt;
Reported-by: Sishuai Gong &lt;sishuai@purdue.edu&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>net: l2tp: Fix a typo</title>
<updated>2021-03-22T20:17:49+00:00</updated>
<author>
<name>Bhaskar Chowdhury</name>
<email>unixbhaskar@gmail.com</email>
</author>
<published>2021-03-22T12:21:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=aa785f93fcb4e8c66f5d3de88cd7626774f13c1d'/>
<id>urn:sha1:aa785f93fcb4e8c66f5d3de88cd7626774f13c1d</id>
<content type='text'>
s/verifed/verified/

Signed-off-by: Bhaskar Chowdhury &lt;unixbhaskar@gmail.com&gt;
Acked-by: Randy Dunlap &lt;rdunlap@infradead.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>net: l2tp: reduce log level of messages in receive path, add counter instead</title>
<updated>2021-03-04T00:55:02+00:00</updated>
<author>
<name>Matthias Schiffer</name>
<email>mschiffer@universe-factory.net</email>
</author>
<published>2021-03-03T15:50:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3e59e8856758eb5a2dfe1f831ef53b168fd58105'/>
<id>urn:sha1:3e59e8856758eb5a2dfe1f831ef53b168fd58105</id>
<content type='text'>
Commit 5ee759cda51b ("l2tp: use standard API for warning log messages")
changed a number of warnings about invalid packets in the receive path
so that they are always shown, instead of only when a special L2TP debug
flag is set. Even with rate limiting these warnings can easily cause
significant log spam - potentially triggered by a malicious party
sending invalid packets on purpose.

In addition these warnings were noticed by projects like Tunneldigger [1],
which uses L2TP for its data path, but implements its own control
protocol (which is sufficiently different from L2TP data packets that it
would always be passed up to userspace even with future extensions of
L2TP).

Some of the warnings were already redundant, as l2tp_stats has a counter
for these packets. This commit adds one additional counter for invalid
packets that are passed up to userspace. Packets with unknown session are
not counted as invalid, as there is nothing wrong with the format of
these packets.

With the additional counter, all of these messages are either redundant
or benign, so we reduce them to pr_debug_ratelimited().

[1] https://github.com/wlanslovenija/tunneldigger/issues/160

Fixes: 5ee759cda51b ("l2tp: use standard API for warning log messages")
Signed-off-by: Matthias Schiffer &lt;mschiffer@universe-factory.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
</feed>
