[kernel] r16605 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at alioth.debian.org
Sat Nov 27 23:07:13 UTC 2010 

Author: benh
Date: Sat Nov 27 23:07:10 2010
New Revision: 16605

Log:
l2tp: Fix UDP socket reference count bugs in the pppol2tp driver (Closes: #604748)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/l2tp-Fix-UDP-socket-reference-count-bugs-in-pppol2tp.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/29

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Sat Nov 27 21:57:12 2010	(r16604)
+++ dists/sid/linux-2.6/debian/changelog	Sat Nov 27 23:07:10 2010	(r16605)
@@ -5,6 +5,8 @@
     the 9240 family (Closes: #604083)
   * tcp: Make TCP_MAXSEG minimum more correct (refinement of fix for
     CVE-2010-4165)
+  * l2tp: Fix UDP socket reference count bugs in the pppol2tp driver
+    (Closes: #604748)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 27 Nov 2010 21:06:54 +0000
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/l2tp-Fix-UDP-socket-reference-count-bugs-in-pppol2tp.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/l2tp-Fix-UDP-socket-reference-count-bugs-in-pppol2tp.patch	Sat Nov 27 23:07:10 2010	(r16605)
@@ -0,0 +1,97 @@
+From: James Chapman <jchapman at katalix.com>
+Date: Tue, 16 Mar 2010 06:29:20 +0000
+Subject: [PATCH] l2tp: Fix UDP socket reference count bugs in the pppol2tp driver
+
+commit c3259c8a7060d480e8eb2166da0a99d6879146b4 upstream.
+
+This patch fixes UDP socket refcnt bugs in the pppol2tp driver.
+
+A bug can cause a kernel stack trace when a tunnel socket is closed.
+
+A way to reproduce the issue is to prepare the UDP socket for L2TP (by
+opening a tunnel pppol2tp socket) and then close it before any L2TP
+sessions are added to it. The sequence is
+
+Create UDP socket
+Create tunnel pppol2tp socket to prepare UDP socket for L2TP
+  pppol2tp_connect: session_id=0, peer_session_id=0
+L2TP SCCRP control frame received (tunnel_id==0)
+  pppol2tp_recv_core: sock_hold()
+  pppol2tp_recv_core: sock_put
+L2TP ZLB control frame received (tunnel_id=nnn)
+  pppol2tp_recv_core: sock_hold()
+  pppol2tp_recv_core: sock_put
+Close tunnel management socket
+  pppol2tp_release: session_id=0, peer_session_id=0
+Close UDP socket
+  udp_lib_close: BUG
+
+The addition of sock_hold() in pppol2tp_connect() solves the problem.
+
+For data frames, two sock_put() calls were added to plug a refcnt leak
+per received data frame. The ref that is grabbed at the top of
+pppol2tp_recv_core() must always be released, but this wasn't done for
+accepted data frames or data frames discarded because of bad UDP
+checksums. This leak meant that any UDP socket that had passed L2TP
+data traffic (i.e. L2TP data frames, not just L2TP control frames)
+using pppol2tp would not be released by the kernel.
+
+WARNING: at include/net/sock.h:435 udp_lib_unhash+0x117/0x120()
+Pid: 1086, comm: openl2tpd Not tainted 2.6.33-rc1 #8
+Call Trace:
+ [<c119e9b7>] ? udp_lib_unhash+0x117/0x120
+ [<c101b871>] ? warn_slowpath_common+0x71/0xd0
+ [<c119e9b7>] ? udp_lib_unhash+0x117/0x120
+ [<c101b8e3>] ? warn_slowpath_null+0x13/0x20
+ [<c119e9b7>] ? udp_lib_unhash+0x117/0x120
+ [<c11598a7>] ? sk_common_release+0x17/0x90
+ [<c11a5e33>] ? inet_release+0x33/0x60
+ [<c11577b0>] ? sock_release+0x10/0x60
+ [<c115780f>] ? sock_close+0xf/0x30
+ [<c106e542>] ? __fput+0x52/0x150
+ [<c106b68e>] ? filp_close+0x3e/0x70
+ [<c101d2e2>] ? put_files_struct+0x62/0xb0
+ [<c101eaf7>] ? do_exit+0x5e7/0x650
+ [<c1081623>] ? mntput_no_expire+0x13/0x70
+ [<c106b68e>] ? filp_close+0x3e/0x70
+ [<c101eb8a>] ? do_group_exit+0x2a/0x70
+ [<c101ebe1>] ? sys_exit_group+0x11/0x20
+ [<c10029b0>] ? sysenter_do_call+0x12/0x26
+
+Signed-off-by: James Chapman <jchapman at katalix.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ drivers/net/pppol2tp.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c
+index 5861ee9..449a982 100644
+--- a/drivers/net/pppol2tp.c
++++ b/drivers/net/pppol2tp.c
+@@ -756,6 +756,7 @@ static int pppol2tp_recv_core(struct sock *sock, struct sk_buff *skb)
+ 
+ 	/* Try to dequeue as many skbs from reorder_q as we can. */
+ 	pppol2tp_recv_dequeue(session);
++	sock_put(sock);
+ 
+ 	return 0;
+ 
+@@ -772,6 +773,7 @@ discard_bad_csum:
+ 	UDP_INC_STATS_USER(&init_net, UDP_MIB_INERRORS, 0);
+ 	tunnel->stats.rx_errors++;
+ 	kfree_skb(skb);
++	sock_put(sock);
+ 
+ 	return 0;
+ 
+@@ -1662,6 +1664,7 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
+ 		if (tunnel_sock == NULL)
+ 			goto end;
+ 
++		sock_hold(tunnel_sock);
+ 		tunnel = tunnel_sock->sk_user_data;
+ 	} else {
+ 		tunnel = pppol2tp_tunnel_find(sock_net(sk), sp->pppol2tp.s_tunnel);
+-- 
+1.7.2.3
+

Modified: dists/sid/linux-2.6/debian/patches/series/29
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/29	Sat Nov 27 21:57:12 2010	(r16604)
+++ dists/sid/linux-2.6/debian/patches/series/29	Sat Nov 27 23:07:10 2010	(r16605)
@@ -4,3 +4,4 @@
 + features/all/SCSI-megaraid_sas-allocate-cmds-to-sas2-controller.patch
 + features/all/SCSI-megaraid_sas-Fix-fw-hang-caused-by-megaraid-sas-app.patch
 + bugfix/all/tcp-Make-TCP_MAXSEG-minimum-more-correct.patch
++ bugfix/all/l2tp-Fix-UDP-socket-reference-count-bugs-in-pppol2tp.patch

More information about the Kernel-svn-changes mailing list