Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[Alexey Dobriyan]

[removing l-k from CC, and switching to netdev]

Please, send your .config.
Is it reproducible?

On Mon, Feb 12, 2007 at 03:16:04PM +0100, Charles-Edouard Ruault wrote:
> i upgraded to vanilla kernel 2.6.20 and while i was using strongswan 
> 2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
> I had successfully established the same tunnel a few times, but key 
> renegotiation caused a problem ( both ends did not renegotiate at the 
> same time so the tunnel was frozen ), i decided to kill the tunnel and 
> start a new one ( using ipsec auto --down tunnel & ipsec auto --up 
> tunnel ), while i was doing so, i got the oops.
> 
> BUG: unable to handle kernel NULL pointer dereference at virtual address 
> 00000188
> printing eip:
> c02fb85c
> *pde = 00000000
> Oops: 0000 [#1]
> PREEMPT
> Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish 
> twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1 
> crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100 
> hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns 
> ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter 
> ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK 
> iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus 
> video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod 
> libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus 
> ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event 
> snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc 
> snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart 
> i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
> CPU:    0
> EIP:    0060:[<c02fb85c>]    Not tainted VLI
> EFLAGS: 00010246   (2.6.20 #1)
> EIP is at xfrm_audit_log+0x4cc/0x580
> eax: ecb71061   ebx: c039d160   ecx: 00000000   edx: 00000021
> esi: 000001f4   edi: 00000255   ebp: 00000000   esp: e8cd5a18
> ds: 007b   es: 007b   ss: 0068
> Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
> Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001 
> 00000003
>       f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000 
> 00000286
>       f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67 
> 00000000
> Call Trace:
> [<c011506b>] __wake_up+0x4b/0x80
> [<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
> [<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
> [<c011d90e>] local_bh_enable+0x2e/0xa0
> [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
> [<c0305e50>] xfrm_get_policy+0x0/0x2f0
> [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
> [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
> [<c02b3782>] netlink_run_queue+0x82/0x120
> [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
> [<c02b3d42>] netlink_data_ready+0x12/0x50
> [<c02b2931>] netlink_sendskb+0x21/0x40
> [<c02b3c50>] netlink_sendmsg+0x230/0x310
> [<c02993cd>] sock_aio_write+0x11d/0x130
> [<c01d538a>] avc_has_perm+0x5a/0x70
> [<c0163ed5>] do_sync_write+0xd5/0x120
> [<c012c960>] autoremove_wake_function+0x0/0x50
> [<c01648c7>] vfs_write+0x177/0x180
> [<c0164ea1>] sys_write+0x41/0x70
> [<c0102f14>] syscall_call+0x7/0xb
> =======================
> Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24 
> 48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91 
> 88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
> EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18
> 
> I'm running a vanilla 2.6.20 kernel on a Fedora Core 5 box on an athlon 
> processor:
> cat /proc/cpuinfo
> processor       : 0
> vendor_id       : AuthenticAMD
> cpu family      : 6
> model           : 8
> model name      : AMD Athlon(TM) XP 2400+
> stepping        : 1
> cpu MHz         : 2000.256
> cache size      : 256 KB
> fdiv_bug        : no
> hlt_bug         : no
> f00f_bug        : no
> coma_bug        : no
> fpu             : yes
> fpu_exception   : yes
> cpuid level     : 1
> wp              : yes
> flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge 
> mca cmov pat pse36 mmx fxsr sse syscall mmxext 3dnowext 3dnow ts
> bogomips        : 4003.78
> clflush size    : 32
> 
> uname -a
> Linux machine 2.6.20 #1 PREEMPT Sat Feb 10 13:48:56 CET 2007 i686 athlon 
> i386 GNU/Linux
> 
> Please CC me in follow ups since i do not subscribe to the list.

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[Charles-Edouard Ruault]

[-- Attachment #1: Type: text/plain, Size: 4834 bytes --]

Alexey Dobriyan wrote:
> [removing l-k from CC, and switching to netdev]
>
> Please, send your .config.
> Is it reproducible?
>
> On Mon, Feb 12, 2007 at 03:16:04PM +0100, Charles-Edouard Ruault wrote:
>   
>> i upgraded to vanilla kernel 2.6.20 and while i was using strongswan 
>> 2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
>> I had successfully established the same tunnel a few times, but key 
>> renegotiation caused a problem ( both ends did not renegotiate at the 
>> same time so the tunnel was frozen ), i decided to kill the tunnel and 
>> start a new one ( using ipsec auto --down tunnel & ipsec auto --up 
>> tunnel ), while i was doing so, i got the oops.
>>
>> BUG: unable to handle kernel NULL pointer dereference at virtual address 
>> 00000188
>> printing eip:
>> c02fb85c
>> *pde = 00000000
>> Oops: 0000 [#1]
>> PREEMPT
>> Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish 
>> twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1 
>> crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100 
>> hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns 
>> ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter 
>> ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK 
>> iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus 
>> video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod 
>> libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus 
>> ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event 
>> snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc 
>> snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart 
>> i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
>> CPU:    0
>> EIP:    0060:[<c02fb85c>]    Not tainted VLI
>> EFLAGS: 00010246   (2.6.20 #1)
>> EIP is at xfrm_audit_log+0x4cc/0x580
>> eax: ecb71061   ebx: c039d160   ecx: 00000000   edx: 00000021
>> esi: 000001f4   edi: 00000255   ebp: 00000000   esp: e8cd5a18
>> ds: 007b   es: 007b   ss: 0068
>> Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
>> Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001 
>> 00000003
>>       f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000 
>> 00000286
>>       f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67 
>> 00000000
>> Call Trace:
>> [<c011506b>] __wake_up+0x4b/0x80
>> [<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
>> [<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
>> [<c011d90e>] local_bh_enable+0x2e/0xa0
>> [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
>> [<c0305e50>] xfrm_get_policy+0x0/0x2f0
>> [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
>> [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
>> [<c02b3782>] netlink_run_queue+0x82/0x120
>> [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
>> [<c02b3d42>] netlink_data_ready+0x12/0x50
>> [<c02b2931>] netlink_sendskb+0x21/0x40
>> [<c02b3c50>] netlink_sendmsg+0x230/0x310
>> [<c02993cd>] sock_aio_write+0x11d/0x130
>> [<c01d538a>] avc_has_perm+0x5a/0x70
>> [<c0163ed5>] do_sync_write+0xd5/0x120
>> [<c012c960>] autoremove_wake_function+0x0/0x50
>> [<c01648c7>] vfs_write+0x177/0x180
>> [<c0164ea1>] sys_write+0x41/0x70
>> [<c0102f14>] syscall_call+0x7/0xb
>> =======================
>> Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24 
>> 48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91 
>> 88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
>> EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18
>>
>> I'm running a vanilla 2.6.20 kernel on a Fedora Core 5 box on an athlon 
>> processor:
>> cat /proc/cpuinfo
>> processor       : 0
>> vendor_id       : AuthenticAMD
>> cpu family      : 6
>> model           : 8
>> model name      : AMD Athlon(TM) XP 2400+
>> stepping        : 1
>> cpu MHz         : 2000.256
>> cache size      : 256 KB
>> fdiv_bug        : no
>> hlt_bug         : no
>> f00f_bug        : no
>> coma_bug        : no
>> fpu             : yes
>> fpu_exception   : yes
>> cpuid level     : 1
>> wp              : yes
>> flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge 
>> mca cmov pat pse36 mmx fxsr sse syscall mmxext 3dnowext 3dnow ts
>> bogomips        : 4003.78
>> clflush size    : 32
>>
>> uname -a
>> Linux machine 2.6.20 #1 PREEMPT Sat Feb 10 13:48:56 CET 2007 i686 athlon 
>> i386 GNU/Linux
>>
>> Please CC me in follow ups since i do not subscribe to the list.
>>     
>
>   
here's my config.gz attached.
I don't know if it's reproducible, i have not had the time to reboot &
try again yet ....
I just applied the patch that Joy sent. I'm trying with the patched
kernel and let the list know if it happens again.


-- 
Charles-Edouard Ruault
PGP Key ID E4D2B80C


[-- Attachment #2: config.gz --]
[-- Type: application/x-gzip, Size: 12809 bytes --]

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[David Miller]

Andrew, we're already discussing a fix for this in another
thread today:

commit 13fcfbb0675bf87da694f55dec11cada489a205c
Author: David S. Miller <davem@sunset.davemloft.net>
Date:   Mon Feb 12 13:53:54 2007 -0800

    [XFRM]: Fix OOPSes in xfrm_audit_log().
    
    Make sure that this function is called correctly, and
    add BUG() checking to ensure the arguments are sane.
    
    Based upon a patch by Joy Latten.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/key/af_key.c b/net/key/af_key.c
index f3a026f..1c58204 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2297,16 +2297,17 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg
 				   &sel, tmp.security, 1);
 	security_xfrm_policy_free(&tmp);
 
-	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-		       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
-
 	if (xp == NULL)
 		return -ENOENT;
 
-	err = 0;
+	err = security_xfrm_policy_delete(xp);
 
-	if ((err = security_xfrm_policy_delete(xp)))
+	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+		       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+
+	if (err)
 		goto out;
+
 	c.seq = hdr->sadb_msg_seq;
 	c.pid = hdr->sadb_msg_pid;
 	c.event = XFRM_MSG_DELPOLICY;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index a24f385..c394b41 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1997,9 +1997,14 @@ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
 	if (audit_enabled == 0)
 		return;
 
+	BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||
+		type == AUDIT_MAC_IPSEC_DELSA) && !x);
+	BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||
+		type == AUDIT_MAC_IPSEC_DELSPD) && !xp);
+
 	audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
 	if (audit_buf == NULL)
-	return;
+		return;
 
 	switch(type) {
 	case AUDIT_MAC_IPSEC_ADDSA:
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index d55436d..2567453 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1273,10 +1273,6 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
 		xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
 		security_xfrm_policy_free(&tmp);
 	}
-	if (delete)
-		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-			       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
-
 	if (xp == NULL)
 		return -ENOENT;
 
@@ -1292,8 +1288,14 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
 					      MSG_DONTWAIT);
 		}
 	} else {
-		if ((err = security_xfrm_policy_delete(xp)) != 0)
+		err = security_xfrm_policy_delete(xp);
+
+		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+			       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+
+		if (err != 0)
 			goto out;
+
 		c.data.byid = p->index;
 		c.event = nlh->nlmsg_type;
 		c.seq = nlh->nlmsg_seq;

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[Andrew Morton]

> On Mon, 12 Feb 2007 14:49:38 -0800 (PST) David Miller <davem@davemloft.net> wrote:
> Andrew, we're already discussing a fix for this in another
> thread today:

Yeah, I noticed.  Vitimised again by those darn MUA vendors and/or
users who bust their In-Reply-To/References headers :(