Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says: ==================== pull request (net): ipsec 2017-10-24 1) Fix a memleak when we don't find a inner_mode during bundle creation. From David Miller. 2) Fix a xfrm policy dump crash. We may crash on error when dumping policies via netlink. Fix this by initializing the policy walk with the cb->start method. This fix is a serious stable candidate. From Herbert Xu. Please pull or let me know if there are problems. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2017-10-24 07:17:38 -0400
committer: David S. Miller <davem@davemloft.net> 2017-10-24 07:17:47 -0400
commit: 864f5af3a3525f588391cd230cb8129ad758708e (patch)
tree: f282338a19a9337206e237577509c31af4cf3672
parent: b71d21c274eff20a9db8158882b545b141b73ab8 (diff)
parent: 1137b5e2529a8f5ca8ee709288ecba3e68044df2 (diff)
2 files changed, 23 insertions, 18 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index f06253969972..2746b62a8944 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1573,6 +1573,14 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                        goto put_states;
                }
+                if (!dst_prev)
+                        dst0 = dst1;
+                else
+                        /* Ref count is taken during xfrm_alloc_dst()
+                         * No need to do dst_clone() on dst1
+                         */
+                        dst_prev->child = dst1;
                if (xfrm[i]->sel.family == AF_UNSPEC) {
                        inner_mode = xfrm_ip2inner_mode(xfrm[i],
                                                        xfrm_af2proto(family));
@@ -1584,14 +1592,6 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                } else
                        inner_mode = xfrm[i]->inner_mode;
-                if (!dst_prev)
-                        dst0 = dst1;
-                else
-                        /* Ref count is taken during xfrm_alloc_dst()
-                         * No need to do dst_clone() on dst1
-                         */
-                        dst_prev->child = dst1;
                xdst->route = dst;
                dst_copy_metrics(dst1, dst);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index b997f1395357..e44a0fed48dd 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1693,32 +1693,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr
 static int xfrm_dump_policy_done(struct netlink_callback *cb)
 {
-        struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+        struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
        struct net *net = sock_net(cb->skb->sk);
        xfrm_policy_walk_done(walk, net);
        return 0;
 }
+static int xfrm_dump_policy_start(struct netlink_callback *cb)
+{
+        struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
+        BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args));
+        xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
+        return 0;
+}
 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
 {
        struct net *net = sock_net(skb->sk);
-        struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+        struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
        struct xfrm_dump_info info;
-        BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) >
-                     sizeof(cb->args) - sizeof(cb->args[0]));
        info.in_skb = cb->skb;
        info.out_skb = skb;
        info.nlmsg_seq = cb->nlh->nlmsg_seq;
        info.nlmsg_flags = NLM_F_MULTI;
-        if (!cb->args[0]) {
-                cb->args[0] = 1;
-                xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
-        }
        (void) xfrm_policy_walk(net, walk, dump_one_policy, &info);
        return skb->len;
@@ -2474,6 +2476,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = {
 static const struct xfrm_link {
        int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);
+        int (*start)(struct netlink_callback *);
        int (*dump)(struct sk_buff *, struct netlink_callback *);
        int (*done)(struct netlink_callback *);
        const struct nla_policy *nla_pol;
@@ -2487,6 +2490,7 @@ static const struct xfrm_link {
        [XFRM_MSG_NEWPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_add_policy    },
        [XFRM_MSG_DELPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_get_policy    },
        [XFRM_MSG_GETPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,
+                                                   .start = xfrm_dump_policy_start,
                                                   .dump = xfrm_dump_policy,
                                                   .done = xfrm_dump_policy_done },
        [XFRM_MSG_ALLOCSPI    - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },
@@ -2539,6 +2543,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
                {
                        struct netlink_dump_control c = {
+                                .start = link->start,
                                .dump = link->dump,
                                .done = link->done,
                        };
author	David S. Miller <davem@davemloft.net>	2017-10-24 07:17:38 -0400
committer	David S. Miller <davem@davemloft.net>	2017-10-24 07:17:47 -0400
commit	864f5af3a3525f588391cd230cb8129ad758708e (patch)
tree	f282338a19a9337206e237577509c31af4cf3672
parent	b71d21c274eff20a9db8158882b545b141b73ab8 (diff)
parent	1137b5e2529a8f5ca8ee709288ecba3e68044df2 (diff)