From patchwork Wed Jun 13 13:09:18 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guillaume Nault <g.nault@alphalink.fr>
X-Patchwork-Id: 928876
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=alphalink.fr
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 415RtH70Gjz9s0W
	for <patchwork-incoming-netdev@ozlabs.org>;
	Wed, 13 Jun 2018 23:09:43 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935599AbeFMNJW (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Wed, 13 Jun 2018 09:09:22 -0400
Received: from zimbra.alphalink.fr ([217.15.80.77]:56039 "EHLO
	zimbra.alphalink.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S935581AbeFMNJV (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 13 Jun 2018 09:09:21 -0400
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	C84982B5202D; Wed, 13 Jun 2018 15:09:19 +0200 (CEST)
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10032)
	with ESMTP id m5RGs1Y5xHsc; Wed, 13 Jun 2018 15:09:18 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	769DA2B52120; Wed, 13 Jun 2018 15:09:18 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mail-2-cbv2.admin.alphalink.fr
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10026)
	with ESMTP id X_zqQ7eb-wDM; Wed, 13 Jun 2018 15:09:18 +0200 (CEST)
Received: from c-dev-0.admin.alphalink.fr (94-84-15-217.reverse.alphalink.fr
	[217.15.84.94])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	4954A2B5202D; Wed, 13 Jun 2018 15:09:18 +0200 (CEST)
Received: by c-dev-0.admin.alphalink.fr (Postfix, from userid 1000)
	id 260BB601D5; Wed, 13 Jun 2018 15:09:18 +0200 (CEST)
Date: Wed, 13 Jun 2018 15:09:18 +0200
From: Guillaume Nault <g.nault@alphalink.fr>
To: netdev@vger.kernel.org
Cc: James Chapman <jchapman@katalix.com>
Subject: [PATCH net 1/4] l2tp: fix pseudo-wire type for sessions created by
	pppol2tp_connect()
Message-ID: 
 <1fbfda862d50a903c67268f1c3981ad04fa32f4b.1528887257.git.g.nault@alphalink.fr>
References: <cover.1528887257.git.g.nault@alphalink.fr>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1528887257.git.g.nault@alphalink.fr>
X-Mutt-Fcc: =Sent
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Define cfg.pw_type so that the new session is created with its .pwtype
field properly set (L2TP_PWTYPE_PPP).

Not setting the pseudo-wire type had several annoying effects:

  * Invalid value returned in the L2TP_ATTR_PW_TYPE attribute when
    dumping sessions with the netlink API.

  * Impossibility to delete the session using the netlink API (because
    l2tp_nl_cmd_session_delete() gets the deletion callback function
    from an array indexed by the session's pseudo-wire type).

Also, there are several cases where we should check a session's
pseudo-wire type. For example, pppol2tp_connect() should refuse to
connect a session that is not PPPoL2TP, but that requires the session's
.pwtype field to be properly set.

Fixes: f7faffa3ff8e ("l2tp: Add L2TPv3 protocol support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
---
 net/l2tp/l2tp_ppp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index b56cb1df4fc0..270a0a999eaf 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -751,6 +751,7 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
 		/* Default MTU must allow space for UDP/L2TP/PPP headers */
 		cfg.mtu = 1500 - PPPOL2TP_HEADER_OVERHEAD;
 		cfg.mru = cfg.mtu;
+		cfg.pw_type = L2TP_PWTYPE_PPP;
 
 		session = l2tp_session_create(sizeof(struct pppol2tp_session),
 					      tunnel, session_id,

From patchwork Wed Jun 13 13:09:19 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guillaume Nault <g.nault@alphalink.fr>
X-Patchwork-Id: 928872
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=alphalink.fr
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 415Rt11Zk9z9s47
	for <patchwork-incoming-netdev@ozlabs.org>;
	Wed, 13 Jun 2018 23:09:29 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935635AbeFMNJY (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Wed, 13 Jun 2018 09:09:24 -0400
Received: from zimbra.alphalink.fr ([217.15.80.77]:56063 "EHLO
	zimbra.alphalink.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S935581AbeFMNJX (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 13 Jun 2018 09:09:23 -0400
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	4AC3F2B5202D; Wed, 13 Jun 2018 15:09:22 +0200 (CEST)
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10032)
	with ESMTP id ryKhfMQqP2dq; Wed, 13 Jun 2018 15:09:21 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	100512B52128; Wed, 13 Jun 2018 15:09:21 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mail-2-cbv2.admin.alphalink.fr
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10026)
	with ESMTP id pMQtat3aVm5J; Wed, 13 Jun 2018 15:09:20 +0200 (CEST)
Received: from c-dev-0.admin.alphalink.fr (94-84-15-217.reverse.alphalink.fr
	[217.15.84.94])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	E91862B52120; Wed, 13 Jun 2018 15:09:20 +0200 (CEST)
Received: by c-dev-0.admin.alphalink.fr (Postfix, from userid 1000)
	id 4F1C0601D5; Wed, 13 Jun 2018 15:09:19 +0200 (CEST)
Date: Wed, 13 Jun 2018 15:09:19 +0200
From: Guillaume Nault <g.nault@alphalink.fr>
To: netdev@vger.kernel.org
Cc: James Chapman <jchapman@katalix.com>
Subject: [PATCH net 2/4] l2tp: only accept PPP sessions in pppol2tp_connect()
Message-ID: 
 <89a39d08a4722ac050d28b07333ca096786812f6.1528887257.git.g.nault@alphalink.fr>
References: <cover.1528887257.git.g.nault@alphalink.fr>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1528887257.git.g.nault@alphalink.fr>
X-Mutt-Fcc: =Sent
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

l2tp_session_priv() returns a struct pppol2tp_session pointer only for
PPPoL2TP sessions. In particular, if the session is an L2TP_PWTYPE_ETH
pseudo-wire, l2tp_session_priv() returns a pointer to an l2tp_eth_sess
structure, which is much smaller than struct pppol2tp_session. This
leads to invalid memory dereference when trying to lock ps->sk_lock.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
---
 net/l2tp/l2tp_ppp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 270a0a999eaf..8b3b6947a07d 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -734,6 +734,12 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
 	session = l2tp_session_get(sock_net(sk), tunnel, session_id);
 	if (session) {
 		drop_refcnt = true;
+
+		if (session->pwtype != L2TP_PWTYPE_PPP) {
+			error = -EPROTOTYPE;
+			goto end;
+		}
+
 		ps = l2tp_session_priv(session);
 
 		/* Using a pre-existing session is fine as long as it hasn't

From patchwork Wed Jun 13 13:09:20 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guillaume Nault <g.nault@alphalink.fr>
X-Patchwork-Id: 928875
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=alphalink.fr
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 415Rt40l9yz9s0W
	for <patchwork-incoming-netdev@ozlabs.org>;
	Wed, 13 Jun 2018 23:09:32 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935656AbeFMNJa (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Wed, 13 Jun 2018 09:09:30 -0400
Received: from zimbra.alphalink.fr ([217.15.80.77]:56073 "EHLO
	zimbra.alphalink.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S935575AbeFMNJ2 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 13 Jun 2018 09:09:28 -0400
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	1F38A2B5202D; Wed, 13 Jun 2018 15:09:27 +0200 (CEST)
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10032)
	with ESMTP id Su4h72_VUyH1; Wed, 13 Jun 2018 15:09:20 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	D31CA2B5212C; Wed, 13 Jun 2018 15:09:20 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mail-2-cbv2.admin.alphalink.fr
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10026)
	with ESMTP id nYpVcUm7z_ZG; Wed, 13 Jun 2018 15:09:20 +0200 (CEST)
Received: from c-dev-0.admin.alphalink.fr (94-84-15-217.reverse.alphalink.fr
	[217.15.84.94])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	924242B5212B; Wed, 13 Jun 2018 15:09:20 +0200 (CEST)
Received: by c-dev-0.admin.alphalink.fr (Postfix, from userid 1000)
	id 76691601EB; Wed, 13 Jun 2018 15:09:20 +0200 (CEST)
Date: Wed, 13 Jun 2018 15:09:20 +0200
From: Guillaume Nault <g.nault@alphalink.fr>
To: netdev@vger.kernel.org
Cc: James Chapman <jchapman@katalix.com>
Subject: [PATCH net 3/4] l2tp: prevent pppol2tp_connect() from creating
	kernel sockets
Message-ID: 
 <9a3f14ac043bec02bf61bb153f6c96fc592f12e0.1528887257.git.g.nault@alphalink.fr>
References: <cover.1528887257.git.g.nault@alphalink.fr>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1528887257.git.g.nault@alphalink.fr>
X-Mutt-Fcc: =Sent
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

If 'fd' is negative, l2tp_tunnel_create() creates a tunnel socket using
the configuration passed in 'tcfg'. Currently, pppol2tp_connect() sets
the relevant fields to zero, tricking l2tp_tunnel_create() into setting
up an unusable kernel socket.

We can't set 'tcfg' with the required fields because there's no way to
get them from the current connect() parameters. So let's restrict
kernel sockets creation to the netlink API, which is the original use
case.

Fixes: 789a4a2c61d8 ("l2tp: Add support for static unmanaged L2TPv3 tunnels")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
---
 net/l2tp/l2tp_ppp.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 8b3b6947a07d..1b24f76ae210 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -701,6 +701,15 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
 				.encap = L2TP_ENCAPTYPE_UDP,
 				.debug = 0,
 			};
+
+			/* Prevent l2tp_tunnel_register() from trying to set up
+			 * a kernel socket.
+			 */
+			if (fd < 0) {
+				error = -EBADF;
+				goto end;
+			}
+
 			error = l2tp_tunnel_create(sock_net(sk), fd, ver, tunnel_id, peer_tunnel_id, &tcfg, &tunnel);
 			if (error < 0)
 				goto end;

From patchwork Wed Jun 13 13:09:21 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guillaume Nault <g.nault@alphalink.fr>
X-Patchwork-Id: 928874
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=alphalink.fr
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 415Rt22NH9z9s4Y
	for <patchwork-incoming-netdev@ozlabs.org>;
	Wed, 13 Jun 2018 23:09:30 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935647AbeFMNJ0 (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Wed, 13 Jun 2018 09:09:26 -0400
Received: from zimbra.alphalink.fr ([217.15.80.77]:56066 "EHLO
	zimbra.alphalink.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S935575AbeFMNJY (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 13 Jun 2018 09:09:24 -0400
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	444942B52122; Wed, 13 Jun 2018 15:09:23 +0200 (CEST)
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10032)
	with ESMTP id ciNu231lX0VK; Wed, 13 Jun 2018 15:09:22 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	E163D2B52120; Wed, 13 Jun 2018 15:09:21 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mail-2-cbv2.admin.alphalink.fr
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10026)
	with ESMTP id rHdPJuxJujP0; Wed, 13 Jun 2018 15:09:21 +0200 (CEST)
Received: from c-dev-0.admin.alphalink.fr (94-84-15-217.reverse.alphalink.fr
	[217.15.84.94])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	B7BFE2B5202D; Wed, 13 Jun 2018 15:09:21 +0200 (CEST)
Received: by c-dev-0.admin.alphalink.fr (Postfix, from userid 1000)
	id 9F74A601D5; Wed, 13 Jun 2018 15:09:21 +0200 (CEST)
Date: Wed, 13 Jun 2018 15:09:21 +0200
From: Guillaume Nault <g.nault@alphalink.fr>
To: netdev@vger.kernel.org
Cc: James Chapman <jchapman@katalix.com>
Subject: [PATCH net 4/4] l2tp: clean up stale tunnel or session in
	pppol2tp_connect's error path
Message-ID: 
 <bbe0f1360500aa8e8612dd63f7286f3a3afc44d6.1528887257.git.g.nault@alphalink.fr>
References: <cover.1528887257.git.g.nault@alphalink.fr>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1528887257.git.g.nault@alphalink.fr>
X-Mutt-Fcc: =Sent
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

pppol2tp_connect() may create a tunnel or a session. Remove them in
case of error.

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
---
 net/l2tp/l2tp_ppp.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 1b24f76ae210..f429fed06a1e 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -612,6 +612,8 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
 	u32 session_id, peer_session_id;
 	bool drop_refcnt = false;
 	bool drop_tunnel = false;
+	bool new_session = false;
+	bool new_tunnel = false;
 	int ver = 2;
 	int fd;
 
@@ -722,6 +724,7 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
 				goto end;
 			}
 			drop_tunnel = true;
+			new_tunnel = true;
 		}
 	} else {
 		/* Error if we can't find the tunnel */
@@ -788,6 +791,7 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
 			goto end;
 		}
 		drop_refcnt = true;
+		new_session = true;
 	}
 
 	/* Special case: if source & dest session_id == 0x0000, this
@@ -834,6 +838,12 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
 		  session->name);
 
 end:
+	if (error) {
+		if (new_session)
+			l2tp_session_delete(session);
+		if (new_tunnel)
+			l2tp_tunnel_delete(tunnel);
+	}
 	if (drop_refcnt)
 		l2tp_session_dec_refcount(session);
 	if (drop_tunnel)