4.9-stable patches

added patches:
	l2tp-don-t-use-l2tp_tunnel_find-in-l2tp_ip-and-l2tp_ip6.patch

diff --git a/queue-4.9/l2tp-don-t-use-l2tp_tunnel_find-in-l2tp_ip-and-l2tp_ip6.patch b/queue-4.9/l2tp-don-t-use-l2tp_tunnel_find-in-l2tp_ip-and-l2tp_ip6.patch
new file mode 100644 (file)
index 0000000..3611aa0
--- /dev/null
+++ b/queue-4.9/l2tp-don-t-use-l2tp_tunnel_find-in-l2tp_ip-and-l2tp_ip6.patch
@@ -0,0 +1,130 @@
+From 8f7dc9ae4a7aece9fbc3e6637bdfa38b36bcdf09 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Fri, 3 Nov 2017 16:49:00 +0100
+Subject: l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+commit 8f7dc9ae4a7aece9fbc3e6637bdfa38b36bcdf09 upstream.
+
+Using l2tp_tunnel_find() in l2tp_ip_recv() is wrong for two reasons:
+
+  * It doesn't take a reference on the returned tunnel, which makes the
+    call racy wrt. concurrent tunnel deletion.
+
+  * The lookup is only based on the tunnel identifier, so it can return
+    a tunnel that doesn't match the packet's addresses or protocol.
+
+For example, a packet sent to an L2TPv3 over IPv6 tunnel can be
+delivered to an L2TPv2 over UDPv4 tunnel. This is worse than a simple
+cross-talk: when delivering the packet to an L2TP over UDP tunnel, the
+corresponding socket is UDP, where ->sk_backlog_rcv() is NULL. Calling
+sk_receive_skb() will then crash the kernel by trying to execute this
+callback.
+
+And l2tp_tunnel_find() isn't even needed here. __l2tp_ip_bind_lookup()
+properly checks the socket binding and connection settings. It was used
+as a fallback mechanism for finding tunnels that didn't have their data
+path registered yet. But it's not limited to this case and can be used
+to replace l2tp_tunnel_find() in the general case.
+
+Fix l2tp_ip6 in the same way.
+
+Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
+Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Nicolas Schier <n.schier@avm.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/l2tp/l2tp_ip.c  |   24 +++++++++---------------
+ net/l2tp/l2tp_ip6.c |   24 +++++++++---------------
+ 2 files changed, 18 insertions(+), 30 deletions(-)
+
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -116,6 +116,7 @@ static int l2tp_ip_recv(struct sk_buff *
+       unsigned char *ptr, *optr;
+       struct l2tp_session *session;
+       struct l2tp_tunnel *tunnel = NULL;
++      struct iphdr *iph;
+       int length;
+ 
+       if (!pskb_may_pull(skb, 4))
+@@ -174,24 +175,17 @@ pass_up:
+               goto discard;
+ 
+       tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
+-      tunnel = l2tp_tunnel_find(net, tunnel_id);
+-      if (tunnel) {
+-              sk = tunnel->sock;
+-              sock_hold(sk);
+-      } else {
+-              struct iphdr *iph = (struct iphdr *) skb_network_header(skb);
+-
+-              read_lock_bh(&l2tp_ip_lock);
+-              sk = __l2tp_ip_bind_lookup(net, iph->daddr, iph->saddr,
+-                                         inet_iif(skb), tunnel_id);
+-              if (!sk) {
+-                      read_unlock_bh(&l2tp_ip_lock);
+-                      goto discard;
+-              }
++      iph = (struct iphdr *)skb_network_header(skb);
+ 
+-              sock_hold(sk);
++      read_lock_bh(&l2tp_ip_lock);
++      sk = __l2tp_ip_bind_lookup(net, iph->daddr, iph->saddr, inet_iif(skb),
++                                 tunnel_id);
++      if (!sk) {
+               read_unlock_bh(&l2tp_ip_lock);
++              goto discard;
+       }
++      sock_hold(sk);
++      read_unlock_bh(&l2tp_ip_lock);
+ 
+       if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
+               goto discard_put;
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -128,6 +128,7 @@ static int l2tp_ip6_recv(struct sk_buff
+       unsigned char *ptr, *optr;
+       struct l2tp_session *session;
+       struct l2tp_tunnel *tunnel = NULL;
++      struct ipv6hdr *iph;
+       int length;
+ 
+       if (!pskb_may_pull(skb, 4))
+@@ -187,24 +188,17 @@ pass_up:
+               goto discard;
+ 
+       tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
+-      tunnel = l2tp_tunnel_find(net, tunnel_id);
+-      if (tunnel) {
+-              sk = tunnel->sock;
+-              sock_hold(sk);
+-      } else {
+-              struct ipv6hdr *iph = ipv6_hdr(skb);
+-
+-              read_lock_bh(&l2tp_ip6_lock);
+-              sk = __l2tp_ip6_bind_lookup(net, &iph->daddr, &iph->saddr,
+-                                          inet6_iif(skb), tunnel_id);
+-              if (!sk) {
+-                      read_unlock_bh(&l2tp_ip6_lock);
+-                      goto discard;
+-              }
++      iph = ipv6_hdr(skb);
+ 
+-              sock_hold(sk);
++      read_lock_bh(&l2tp_ip6_lock);
++      sk = __l2tp_ip6_bind_lookup(net, &iph->daddr, &iph->saddr,
++                                  inet6_iif(skb), tunnel_id);
++      if (!sk) {
+               read_unlock_bh(&l2tp_ip6_lock);
++              goto discard;
+       }
++      sock_hold(sk);
++      read_unlock_bh(&l2tp_ip6_lock);
+ 
+       if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
+               goto discard_put;

diff --git a/queue-4.9/series b/queue-4.9/series
index 3d18983d2c70be20068cc39f5ea31aeb9456dc5d..8a46aee6860a99b2199cc5bd31e7b07971834775 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -120,3 +120,4 @@ x86-insn-fix-awk-regexp-warnings.patch
 x86-speculation-fix-incorrect-mds-taa-mitigation-status.patch
 x86-speculation-fix-redundant-mds-mitigation-message.patch
 nfc-port100-handle-command-failure-cleanly.patch
+l2tp-don-t-use-l2tp_tunnel_find-in-l2tp_ip-and-l2tp_ip6.patch