Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says: ==================== This pull request fixes some issues that arise when 6in4 or 4in6 tunnels are used in combination with IPsec, all from Hannes Frederic Sowa and a null pointer dereference when queueing packets to the policy hold queue. 1) We might access the local error handler of the wrong address family if 6in4 or 4in6 tunnel is protected by ipsec. Fix this by addind a pointer to the correct local_error to xfrm_state_afinet. 2) Add a helper function to always refer to the correct interpretation of skb->sk. 3) Call skb_reset_inner_headers to record the position of the inner headers when adding a new one in various ipv6 tunnels. This is needed to identify the addresses where to send back errors in the xfrm layer. 4) Dereference inner ipv6 header if encapsulated to always call the right error handler. 5) Choose protocol family by skb protocol to not call the wrong xfrm{4,6}_local_error handler in case an ipv6 sockets is used in ipv4 mode. 6) Partly revert "xfrm: introduce helper for safe determination of mtu" because this introduced pmtu discovery problems. 7) Set skb->protocol on tcp, raw and ip6_append_data genereated skbs. We need this to get the correct mtu informations in xfrm. 8) Fix null pointer dereference in xdst_queue_output. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2013-08-29 16:05:30 -0400
committer: David S. Miller <davem@davemloft.net> 2013-08-29 16:05:30 -0400
commit: 79f9ab7e0a8ec452e58b5a5267b9eb019ff493d0 (patch)
tree: 650d432ab57882fa022b0edaee058fe8044e68c0
parent: 1f324e38870cc09659cf23bc626f1b8869e201f2 (diff)
parent: 302a50bc941010d7a67f288fd0db31981e4d722d (diff)
15 files changed, 86 insertions, 32 deletions
diff --git a/include/net/route.h b/include/net/route.h
index 2ea40c1b5e00..afdeeb5bec25 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -317,4 +317,12 @@ static inline int ip4_dst_hoplimit(const struct dst_entry *dst)
        return hoplimit;
 }
+static inline int ip_skb_dst_mtu(struct sk_buff *skb)
+{
+        struct inet_sock *inet = skb->sk ? inet_sk(skb->sk) : NULL;
+        return (inet && inet->pmtudisc == IP_PMTUDISC_PROBE) ?
+               skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb));
+}
 #endif  /* _ROUTE_H */
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 94ce082b29dc..e823786e7c66 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -341,10 +341,13 @@ struct xfrm_state_afinfo {
                                                  struct sk_buff *skb);
        int                     (*transport_finish)(struct sk_buff *skb,
                                                    int async);
+        void                    (*local_error)(struct sk_buff *skb, u32 mtu);
 };
 extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
 extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
+extern struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
+extern void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
 extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
@@ -1477,6 +1480,7 @@ extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
 extern int xfrm_output_resume(struct sk_buff *skb, int err);
 extern int xfrm_output(struct sk_buff *skb);
 extern int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
+extern void xfrm_local_error(struct sk_buff *skb, int mtu);
 extern int xfrm4_extract_header(struct sk_buff *skb);
 extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
 extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
@@ -1497,6 +1501,7 @@ extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short fam
 extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
 extern int xfrm4_mode_tunnel_input_register(struct xfrm_tunnel *handler);
 extern int xfrm4_mode_tunnel_input_deregister(struct xfrm_tunnel *handler);
+extern void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
 extern int xfrm6_extract_header(struct sk_buff *skb);
 extern int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
 extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
@@ -1514,6 +1519,7 @@ extern int xfrm6_output(struct sk_buff *skb);
 extern int xfrm6_output_finish(struct sk_buff *skb);
 extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
                                 u8 **prevhdr);
+extern void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
 #ifdef CONFIG_XFRM
 extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 4bcabf3ab4ca..9ee17e3d11c3 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -211,14 +211,6 @@ static inline int ip_finish_output2(struct sk_buff *skb)
        return -EINVAL;
 }
-static inline int ip_skb_dst_mtu(struct sk_buff *skb)
-{
-        struct inet_sock *inet = skb->sk ? inet_sk(skb->sk) : NULL;
-        return (inet && inet->pmtudisc == IP_PMTUDISC_PROBE) ?
-               skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb));
-}
 static int ip_finish_output(struct sk_buff *skb)
 {
 #if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 327a617d594c..baa0f63731fd 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -21,7 +21,6 @@
 static int xfrm4_tunnel_check_size(struct sk_buff *skb)
 {
        int mtu, ret = 0;
-        struct dst_entry *dst;
        if (IPCB(skb)->flags & IPSKB_XFRM_TUNNEL_SIZE)
                goto out;
@@ -29,12 +28,10 @@ static int xfrm4_tunnel_check_size(struct sk_buff *skb)
        if (!(ip_hdr(skb)->frag_off & htons(IP_DF)) || skb->local_df)
                goto out;
-        dst = skb_dst(skb);
+        mtu = dst_mtu(skb_dst(skb));
-        mtu = dst_mtu(dst);
        if (skb->len > mtu) {
                if (skb->sk)
-                        ip_local_error(skb->sk, EMSGSIZE, ip_hdr(skb)->daddr,
+                        xfrm_local_error(skb, mtu);
-                                       inet_sk(skb->sk)->inet_dport, mtu);
                else
                        icmp_send(skb, ICMP_DEST_UNREACH,
                                  ICMP_FRAG_NEEDED, htonl(mtu));
@@ -99,3 +96,12 @@ int xfrm4_output(struct sk_buff *skb)
                            x->outer_mode->afinfo->output_finish,
                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
+void xfrm4_local_error(struct sk_buff *skb, u32 mtu)
+{
+        struct iphdr *hdr;
+        hdr = skb->encapsulation ? inner_ip_hdr(skb) : ip_hdr(skb);
+        ip_local_error(skb->sk, EMSGSIZE, hdr->daddr,
+                       inet_sk(skb->sk)->inet_dport, mtu);
+}
diff --git a/net/ipv4/xfrm4_state.c b/net/ipv4/xfrm4_state.c
index 9258e751baba..0b2a0641526a 100644
--- a/net/ipv4/xfrm4_state.c
+++ b/net/ipv4/xfrm4_state.c
@@ -83,6 +83,7 @@ static struct xfrm_state_afinfo xfrm4_state_afinfo = {
        .extract_input          = xfrm4_extract_input,
        .extract_output         = xfrm4_extract_output,
        .transport_finish       = xfrm4_transport_finish,
+        .local_error            = xfrm4_local_error,
 };
 void __init xfrm4_state_init(void)
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index ecd60733e5e2..90747f1973fe 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -724,6 +724,11 @@ static netdev_tx_t ip6gre_xmit2(struct sk_buff *skb,
                ipv6_push_nfrag_opts(skb, &opt.ops, &proto, NULL);
        }
+        if (likely(!skb->encapsulation)) {
+                skb_reset_inner_headers(skb);
+                skb->encapsulation = 1;
+        }
        skb_push(skb, gre_hlen);
        skb_reset_network_header(skb);
        skb_set_transport_header(skb, sizeof(*ipv6h));
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 6e3ddf806ec2..e7ceb6c871d1 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -238,6 +238,7 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
        hdr->saddr = fl6->saddr;
        hdr->daddr = *first_hop;
+        skb->protocol = htons(ETH_P_IPV6);
        skb->priority = sk->sk_priority;
        skb->mark = sk->sk_mark;
@@ -1057,6 +1058,7 @@ static inline int ip6_ufo_append_data(struct sock *sk,
                /* initialize protocol header pointer */
                skb->transport_header = skb->network_header + fragheaderlen;
+                skb->protocol = htons(ETH_P_IPV6);
                skb->ip_summed = CHECKSUM_PARTIAL;
                skb->csum = 0;
        }
@@ -1359,6 +1361,7 @@ alloc_new_skb:
                        /*
                         *      Fill in the control structures
                         */
+                        skb->protocol = htons(ETH_P_IPV6);
                        skb->ip_summed = CHECKSUM_NONE;
                        skb->csum = 0;
                        /* reserve for fragmentation and ipsec header */
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 1e55866cead7..46ba243605a3 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1027,6 +1027,12 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
                init_tel_txopt(&opt, encap_limit);
                ipv6_push_nfrag_opts(skb, &opt.ops, &proto, NULL);
        }
+        if (likely(!skb->encapsulation)) {
+                skb_reset_inner_headers(skb);
+                skb->encapsulation = 1;
+        }
        skb_push(skb, sizeof(struct ipv6hdr));
        skb_reset_network_header(skb);
        ipv6h = ipv6_hdr(skb);
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index c45f7a5c36e9..cdaed47ba932 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -628,6 +628,7 @@ static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
                goto error;
        skb_reserve(skb, hlen);
+        skb->protocol = htons(ETH_P_IPV6);
        skb->priority = sk->sk_priority;
        skb->mark = sk->sk_mark;
        skb_dst_set(skb, &rt->dst);
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index a3437a4cd07e..fbfc5a83867f 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -888,6 +888,11 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                ttl = iph6->hop_limit;
        tos = INET_ECN_encapsulate(tos, ipv6_get_dsfield(iph6));
+        if (likely(!skb->encapsulation)) {
+                skb_reset_inner_headers(skb);
+                skb->encapsulation = 1;
+        }
        err = iptunnel_xmit(dev_net(dev), rt, skb, fl4.saddr, fl4.daddr,
                            IPPROTO_IPV6, tos, ttl, df);
        iptunnel_xmit_stats(err, &dev->stats, dev->tstats);
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 8755a3079d0f..6cd625e37706 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -34,8 +34,10 @@ static int xfrm6_local_dontfrag(struct sk_buff *skb)
        struct sock *sk = skb->sk;
        if (sk) {
-                proto = sk->sk_protocol;
+                if (sk->sk_family != AF_INET6)
+                        return 0;
+                proto = sk->sk_protocol;
                if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
                        return inet6_sk(sk)->dontfrag;
        }
@@ -54,13 +56,15 @@ static void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu)
        ipv6_local_rxpmtu(sk, &fl6, mtu);
 }
-static void xfrm6_local_error(struct sk_buff *skb, u32 mtu)
+void xfrm6_local_error(struct sk_buff *skb, u32 mtu)
 {
        struct flowi6 fl6;
+        const struct ipv6hdr *hdr;
        struct sock *sk = skb->sk;
+        hdr = skb->encapsulation ? inner_ipv6_hdr(skb) : ipv6_hdr(skb);
        fl6.fl6_dport = inet_sk(sk)->inet_dport;
-        fl6.daddr = ipv6_hdr(skb)->daddr;
+        fl6.daddr = hdr->daddr;
        ipv6_local_error(sk, EMSGSIZE, &fl6, mtu);
 }
@@ -80,7 +84,7 @@ static int xfrm6_tunnel_check_size(struct sk_buff *skb)
                if (xfrm6_local_dontfrag(skb))
                        xfrm6_local_rxpmtu(skb, mtu);
                else if (skb->sk)
-                        xfrm6_local_error(skb, mtu);
+                        xfrm_local_error(skb, mtu);
                else
                        icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
                ret = -EMSGSIZE;
@@ -136,13 +140,18 @@ static int __xfrm6_output(struct sk_buff *skb)
 {
        struct dst_entry *dst = skb_dst(skb);
        struct xfrm_state *x = dst->xfrm;
-        int mtu = ip6_skb_dst_mtu(skb);
+        int mtu;
+        if (skb->protocol == htons(ETH_P_IPV6))
+                mtu = ip6_skb_dst_mtu(skb);
+        else
+                mtu = dst_mtu(skb_dst(skb));
        if (skb->len > mtu && xfrm6_local_dontfrag(skb)) {
                xfrm6_local_rxpmtu(skb, mtu);
                return -EMSGSIZE;
        } else if (!skb->local_df && skb->len > mtu && skb->sk) {
-                xfrm6_local_error(skb, mtu);
+                xfrm_local_error(skb, mtu);
                return -EMSGSIZE;
        }
diff --git a/net/ipv6/xfrm6_state.c b/net/ipv6/xfrm6_state.c
index d8c70b8efc24..3fc970135fc6 100644
--- a/net/ipv6/xfrm6_state.c
+++ b/net/ipv6/xfrm6_state.c
@@ -183,6 +183,7 @@ static struct xfrm_state_afinfo xfrm6_state_afinfo = {
        .extract_input          = xfrm6_extract_input,
        .extract_output         = xfrm6_extract_output,
        .transport_finish       = xfrm6_transport_finish,
+        .local_error            = xfrm6_local_error,
 };
 int __init xfrm6_state_init(void)
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index eb4a84288648..3bb2cdc13b46 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -214,5 +214,26 @@ int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb)
        return inner_mode->afinfo->extract_output(x, skb);
 }
+void xfrm_local_error(struct sk_buff *skb, int mtu)
+{
+        unsigned int proto;
+        struct xfrm_state_afinfo *afinfo;
+        if (skb->protocol == htons(ETH_P_IP))
+                proto = AF_INET;
+        else if (skb->protocol == htons(ETH_P_IPV6))
+                proto = AF_INET6;
+        else
+                return;
+        afinfo = xfrm_state_get_afinfo(proto);
+        if (!afinfo)
+                return;
+        afinfo->local_error(skb, mtu);
+        xfrm_state_put_afinfo(afinfo);
+}
 EXPORT_SYMBOL_GPL(xfrm_output);
 EXPORT_SYMBOL_GPL(xfrm_inner_extract_output);
+EXPORT_SYMBOL_GPL(xfrm_local_error);
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index e52cab3591dd..f77c371ea72b 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -320,10 +320,8 @@ static void xfrm_queue_purge(struct sk_buff_head *list)
 {
        struct sk_buff *skb;
-        while ((skb = skb_dequeue(list)) != NULL) {
+        while ((skb = skb_dequeue(list)) != NULL)
-                dev_put(skb->dev);
                kfree_skb(skb);
-        }
 }
 /* Rule must be locked. Release descentant resources, announce
@@ -1758,7 +1756,6 @@ static void xfrm_policy_queue_process(unsigned long arg)
        struct sk_buff *skb;
        struct sock *sk;
        struct dst_entry *dst;
-        struct net_device *dev;
        struct xfrm_policy *pol = (struct xfrm_policy *)arg;
        struct xfrm_policy_queue *pq = &pol->polq;
        struct flowi fl;
@@ -1805,7 +1802,6 @@ static void xfrm_policy_queue_process(unsigned long arg)
                dst = xfrm_lookup(xp_net(pol), skb_dst(skb)->path,
                                  &fl, skb->sk, 0);
                if (IS_ERR(dst)) {
-                        dev_put(skb->dev);
                        kfree_skb(skb);
                        continue;
                }
@@ -1814,9 +1810,7 @@ static void xfrm_policy_queue_process(unsigned long arg)
                skb_dst_drop(skb);
                skb_dst_set(skb, dst);
-                dev = skb->dev;
                err = dst_output(skb);
-                dev_put(dev);
        }
        return;
@@ -1839,7 +1833,6 @@ static int xdst_queue_output(struct sk_buff *skb)
        }
        skb_dst_force(skb);
-        dev_hold(skb->dev);
        spin_lock_bh(&pq->hold_queue.lock);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 78f66fa92449..54c0acd29468 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -39,9 +39,6 @@ static DEFINE_SPINLOCK(xfrm_state_lock);
 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
-static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
-static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
 static inline unsigned int xfrm_dst_hash(struct net *net,
                                         const xfrm_address_t *daddr,
                                         const xfrm_address_t *saddr,
@@ -1860,7 +1857,7 @@ int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
 }
 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
-static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
+struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
 {
        struct xfrm_state_afinfo *afinfo;
        if (unlikely(family >= NPROTO))
@@ -1872,7 +1869,7 @@ static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
        return afinfo;
 }
-static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
+void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
 {
        rcu_read_unlock();
 }
author	David S. Miller <davem@davemloft.net>	2013-08-29 16:05:30 -0400
committer	David S. Miller <davem@davemloft.net>	2013-08-29 16:05:30 -0400
commit	79f9ab7e0a8ec452e58b5a5267b9eb019ff493d0 (patch)
tree	650d432ab57882fa022b0edaee058fe8044e68c0
parent	1f324e38870cc09659cf23bc626f1b8869e201f2 (diff)
parent	302a50bc941010d7a67f288fd0db31981e4d722d (diff)