Re: IPSec freeze - Patrick McHardy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Beschorner Daniel <Daniel.Beschorner@facton.com>
Cc: netdev@vger.kernel.org, Eric Dumazet <dada1@cosmosbay.com>
Subject: Re: IPSec freeze
Date: Tue, 17 Jul 2007 18:10:13 +0200	[thread overview]
Message-ID: <469CE9E5.7040003@trash.net> (raw)
In-Reply-To: <469BB50C.10203@trash.net>

[-- Attachment #1: Type: text/plain, Size: 775 bytes --]

Patrick McHardy wrote:
> Beschorner Daniel wrote:
>   
>>> I managed to reproduce a crash with ipcomp, will try to fix it later.
>>>       
>> Yes, I can confirm this.
>> After disabling IPComp the crashes went away.
>>     
>
>
> The crash happens in xfrm_bundle_ok when walking the bundle upwards
> following xfrm_dst->u.next. The loop should be stopped when
> xfrm_dst->u.next == first (the topmost xfrm_dst), but it points to
> NULL instead. I'm pretty sure the attached patch is responsible,
> it breaks XFRM's assumption that dst->next and xfrm_dst->u.next are
> the same pointer and xfrm_dst now shares the next pointer with
> rcu_head.next in struct dst_entry.
>
> Eric, could you look into this please?

I fixed it myself. Daniel, can you please test this patch?




[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1543 bytes --]

[XFRM]: Fix crash introduced by struct dst_entry reordering

XFRM expects xfrm_dst->u.next to be same pointer as dst->next, which
was broken by the dst_entry reordering in commit 1e19e02c~, causing
an oops in xfrm_bundle_ok when walking the bundle upwards.

Kill xfrm_dst->u.next and change the only user to use dst->next instead.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 20c2fee8cc562817f11752e1d87350d5994fa098
tree f42318b847e962aa637136e94722a688c231111a
parent 308ac1b6249226730b70fcf7c13a289c27ce2bf3
author Patrick McHardy <kaber@trash.net> Tue, 17 Jul 2007 18:11:29 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 17 Jul 2007 18:11:29 +0200

 include/net/xfrm.h     |    1 -
 net/xfrm/xfrm_policy.c |    2 +-
 2 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index ae959e9..a5f80bf 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -585,7 +585,6 @@ static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ct
 struct xfrm_dst
 {
 	union {
-		struct xfrm_dst		*next;
 		struct dst_entry	dst;
 		struct rtable		rt;
 		struct rt6_info		rt6;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 157bfbd..b48f06f 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2141,7 +2141,7 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
 		if (last == first)
 			break;
 
-		last = last->u.next;
+		last = (struct xfrm_dst *)last->u.dst.next;
 		last->child_mtu_cached = mtu;
 	}

next prev parent reply	other threads:[~2007-07-17 16:13 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-15  6:29 IPSec freeze Beschorner Daniel
2007-07-15 15:00 ` Patrick McHardy
2007-07-16  8:27   ` Beschorner Daniel
2007-07-16 13:09     ` Beschorner Daniel
2007-07-16 13:17       ` Patrick McHardy
2007-07-16 13:26         ` Beschorner Daniel
2007-07-16 14:07           ` Patrick McHardy
2007-07-16 14:17             ` Beschorner Daniel
2007-07-16 14:58               ` Patrick McHardy
2007-07-16 14:59                 ` Patrick McHardy
2007-07-16 15:18                 ` Patrick McHardy
2007-07-16 15:36                   ` Beschorner Daniel
2007-07-16 18:12                     ` Patrick McHardy
2007-07-17 16:10                       ` Patrick McHardy [this message]
2007-07-17 19:03                         ` Beschorner Daniel
2007-07-17 21:45                           ` Patrick McHardy
2007-07-18 12:21                             ` pmtu discovery on SA Beschorner Daniel
2007-07-18 13:14                               ` Patrick McHardy
2007-07-18 16:13                                 ` Beschorner Daniel
2007-07-18 16:27                                   ` Patrick McHardy
2007-07-18 16:56                                     ` Mika Penttilä
2007-07-18 18:27                                       ` Patrick McHardy
2007-07-18 18:39                                         ` Mika Penttilä
2007-07-18 18:41                                           ` Patrick McHardy
2007-07-18 18:47                                             ` Mika Penttilä
2007-07-19 15:51                                     ` Beschorner Daniel
2007-07-18  8:58                           ` IPSec freeze David Miller
2007-07-18  8:58                         ` David Miller
  -- strict thread matches above, loose matches on Subject: below --
2007-07-16 16:49 Beschorner Daniel

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ae959e9 dfblob:a5f80bf dfblob:157bfbd dfblob:b48f06f )
 OR (
bs:"Re: IPSec freeze" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=469CE9E5.7040003@trash.net \
    --to=kaber@trash.net \
    --cc=Daniel.Beschorner@facton.com \
    --cc=dada1@cosmosbay.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.