diff options
author | Wei Yongjun <yjwei@cn.fujitsu.com> | 2011-03-21 21:08:28 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-03-21 21:08:28 -0400 |
commit | a454f0ccefbfdbfc0e1aa8a5f8010af5e48b8845 (patch) | |
tree | 359fdf6dbff1494ffe3d5cc8861fb0c0b72cc831 | |
parent | 0e24d34a5b95226cfc335817aefd9cf9744e5659 (diff) |
xfrm: Fix initialize repl field of struct xfrm_state
Commit 'xfrm: Move IPsec replay detection functions to a separate file'
(9fdc4883d92d20842c5acea77a4a21bb1574b495)
introduce repl field to struct xfrm_state, and only initialize it
under SA's netlink create path, the other path, such as pf_key,
ipcomp/ipcomp6 etc, the repl field remaining uninitialize. So if
the SA is created by pf_key, any input packet with SA's encryption
algorithm will cause panic.
int xfrm_input()
{
...
x->repl->advance(x, seq);
...
}
This patch fixed it by introduce new function __xfrm_init_state().
Pid: 0, comm: swapper Not tainted 2.6.38-next+ #14 Bochs Bochs
EIP: 0060:[<c078e5d5>] EFLAGS: 00010206 CPU: 0
EIP is at xfrm_input+0x31c/0x4cc
EAX: dd839c00 EBX: 00000084 ECX: 00000000 EDX: 01000000
ESI: dd839c00 EDI: de3a0780 EBP: dec1de88 ESP: dec1de64
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process swapper (pid: 0, ti=dec1c000 task=c09c0f20 task.ti=c0992000)
Stack:
00000000 00000000 00000002 c0ba27c0 00100000 01000000 de3a0798 c0ba27c0
00000033 dec1de98 c0786848 00000000 de3a0780 dec1dea4 c0786868 00000000
dec1debc c074ee56 e1da6b8c de3a0780 c074ed44 de3a07a8 dec1decc c074ef32
Call Trace:
[<c0786848>] xfrm4_rcv_encap+0x22/0x27
[<c0786868>] xfrm4_rcv+0x1b/0x1d
[<c074ee56>] ip_local_deliver_finish+0x112/0x1b1
[<c074ed44>] ? ip_local_deliver_finish+0x0/0x1b1
[<c074ef32>] NF_HOOK.clone.1+0x3d/0x44
[<c074ef77>] ip_local_deliver+0x3e/0x44
[<c074ed44>] ? ip_local_deliver_finish+0x0/0x1b1
[<c074ec03>] ip_rcv_finish+0x30a/0x332
[<c074e8f9>] ? ip_rcv_finish+0x0/0x332
[<c074ef32>] NF_HOOK.clone.1+0x3d/0x44
[<c074f188>] ip_rcv+0x20b/0x247
[<c074e8f9>] ? ip_rcv_finish+0x0/0x332
[<c072797d>] __netif_receive_skb+0x373/0x399
[<c0727bc1>] netif_receive_skb+0x4b/0x51
[<e0817e2a>] cp_rx_poll+0x210/0x2c4 [8139cp]
[<c072818f>] net_rx_action+0x9a/0x17d
[<c0445b5c>] __do_softirq+0xa1/0x149
[<c0445abb>] ? __do_softirq+0x0/0x149
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/net/xfrm.h | 1 | ||||
-rw-r--r-- | net/xfrm/xfrm_state.c | 15 | ||||
-rw-r--r-- | net/xfrm/xfrm_user.c | 2 |
3 files changed, 16 insertions, 2 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 42a8c32a10e2..cffa5dc66449 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h | |||
@@ -1430,6 +1430,7 @@ extern void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si); | |||
1430 | extern u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq); | 1430 | extern u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq); |
1431 | extern int xfrm_init_replay(struct xfrm_state *x); | 1431 | extern int xfrm_init_replay(struct xfrm_state *x); |
1432 | extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); | 1432 | extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); |
1433 | extern int __xfrm_init_state(struct xfrm_state *x, bool init_replay); | ||
1433 | extern int xfrm_init_state(struct xfrm_state *x); | 1434 | extern int xfrm_init_state(struct xfrm_state *x); |
1434 | extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb); | 1435 | extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb); |
1435 | extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, | 1436 | extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, |
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index d575f0534868..f83a3d1da81b 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c | |||
@@ -1907,7 +1907,7 @@ int xfrm_state_mtu(struct xfrm_state *x, int mtu) | |||
1907 | return res; | 1907 | return res; |
1908 | } | 1908 | } |
1909 | 1909 | ||
1910 | int xfrm_init_state(struct xfrm_state *x) | 1910 | int __xfrm_init_state(struct xfrm_state *x, bool init_replay) |
1911 | { | 1911 | { |
1912 | struct xfrm_state_afinfo *afinfo; | 1912 | struct xfrm_state_afinfo *afinfo; |
1913 | struct xfrm_mode *inner_mode; | 1913 | struct xfrm_mode *inner_mode; |
@@ -1980,12 +1980,25 @@ int xfrm_init_state(struct xfrm_state *x) | |||
1980 | if (x->outer_mode == NULL) | 1980 | if (x->outer_mode == NULL) |
1981 | goto error; | 1981 | goto error; |
1982 | 1982 | ||
1983 | if (init_replay) { | ||
1984 | err = xfrm_init_replay(x); | ||
1985 | if (err) | ||
1986 | goto error; | ||
1987 | } | ||
1988 | |||
1983 | x->km.state = XFRM_STATE_VALID; | 1989 | x->km.state = XFRM_STATE_VALID; |
1984 | 1990 | ||
1985 | error: | 1991 | error: |
1986 | return err; | 1992 | return err; |
1987 | } | 1993 | } |
1988 | 1994 | ||
1995 | EXPORT_SYMBOL(__xfrm_init_state); | ||
1996 | |||
1997 | int xfrm_init_state(struct xfrm_state *x) | ||
1998 | { | ||
1999 | return __xfrm_init_state(x, true); | ||
2000 | } | ||
2001 | |||
1989 | EXPORT_SYMBOL(xfrm_init_state); | 2002 | EXPORT_SYMBOL(xfrm_init_state); |
1990 | 2003 | ||
1991 | int __net_init xfrm_state_init(struct net *net) | 2004 | int __net_init xfrm_state_init(struct net *net) |
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 706385ae3e4b..fc152d28753c 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -511,7 +511,7 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, | |||
511 | 511 | ||
512 | xfrm_mark_get(attrs, &x->mark); | 512 | xfrm_mark_get(attrs, &x->mark); |
513 | 513 | ||
514 | err = xfrm_init_state(x); | 514 | err = __xfrm_init_state(x, false); |
515 | if (err) | 515 | if (err) |
516 | goto error; | 516 | goto error; |
517 | 517 | ||