Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
This pull request fixes some issues that arise when 6in4 or 4in6 tunnels
are used in combination with IPsec, all from Hannes Frederic Sowa and a
null pointer dereference when queueing packets to the policy hold queue.

1) We might access the local error handler of the wrong address family if
   6in4 or 4in6 tunnel is protected by ipsec. Fix this by addind a pointer
   to the correct local_error to xfrm_state_afinet.

2) Add a helper function to always refer to the correct interpretation
   of skb->sk.

3) Call skb_reset_inner_headers to record the position of the inner headers
   when adding a new one in various ipv6 tunnels. This is needed to identify
   the addresses where to send back errors in the xfrm layer.

4) Dereference inner ipv6 header if encapsulated to always call the
   right error handler.

5) Choose protocol family by skb protocol to not call the wrong
   xfrm{4,6}_local_error handler in case an ipv6 sockets is used
   in ipv4 mode.

6) Partly revert "xfrm: introduce helper for safe determination of mtu"
   because this introduced pmtu discovery problems.

7) Set skb->protocol on tcp, raw and ip6_append_data genereated skbs.
   We need this to get the correct mtu informations in xfrm.

8) Fix null pointer dereference in xdst_queue_output.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

7 files changed, 36 insertions, 6 deletions

diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index ecd60733e5e2..90747f1973fe 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -724,6 +724,11 @@ static netdev_tx_t ip6gre_xmit2(struct sk_buff *skb,
                 ipv6_push_nfrag_opts(skb, &opt.ops, &proto, NULL);
         }
 
+        if (likely(!skb->encapsulation)) {
+                skb_reset_inner_headers(skb);
+                skb->encapsulation = 1;
+        }
+
         skb_push(skb, gre_hlen);
         skb_reset_network_header(skb);
         skb_set_transport_header(skb, sizeof(*ipv6h));
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 6e3ddf806ec2..e7ceb6c871d1 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -238,6 +238,7 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
         hdr->saddr = fl6->saddr;
         hdr->daddr = *first_hop;
 
+        skb->protocol = htons(ETH_P_IPV6);
         skb->priority = sk->sk_priority;
         skb->mark = sk->sk_mark;
 
@@ -1057,6 +1058,7 @@ static inline int ip6_ufo_append_data(struct sock *sk,
                 /* initialize protocol header pointer */
                 skb->transport_header = skb->network_header + fragheaderlen;
 
+                skb->protocol = htons(ETH_P_IPV6);
                 skb->ip_summed = CHECKSUM_PARTIAL;
                 skb->csum = 0;
         }
@@ -1359,6 +1361,7 @@ alloc_new_skb:
                         /*
                          *      Fill in the control structures
                          */
+                        skb->protocol = htons(ETH_P_IPV6);
                         skb->ip_summed = CHECKSUM_NONE;
                         skb->csum = 0;
                         /* reserve for fragmentation and ipsec header */
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 1e55866cead7..46ba243605a3 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1027,6 +1027,12 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
                 init_tel_txopt(&opt, encap_limit);
                 ipv6_push_nfrag_opts(skb, &opt.ops, &proto, NULL);
         }
+
+        if (likely(!skb->encapsulation)) {
+                skb_reset_inner_headers(skb);
+                skb->encapsulation = 1;
+        }
+
         skb_push(skb, sizeof(struct ipv6hdr));
         skb_reset_network_header(skb);
         ipv6h = ipv6_hdr(skb);
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index c45f7a5c36e9..cdaed47ba932 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -628,6 +628,7 @@ static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
                 goto error;
         skb_reserve(skb, hlen);
 
+        skb->protocol = htons(ETH_P_IPV6);
         skb->priority = sk->sk_priority;
         skb->mark = sk->sk_mark;
         skb_dst_set(skb, &rt->dst);
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index a3437a4cd07e..fbfc5a83867f 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -888,6 +888,11 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                 ttl = iph6->hop_limit;
         tos = INET_ECN_encapsulate(tos, ipv6_get_dsfield(iph6));
 
+        if (likely(!skb->encapsulation)) {
+                skb_reset_inner_headers(skb);
+                skb->encapsulation = 1;
+        }
+
         err = iptunnel_xmit(dev_net(dev), rt, skb, fl4.saddr, fl4.daddr,
                             IPPROTO_IPV6, tos, ttl, df);
         iptunnel_xmit_stats(err, &dev->stats, dev->tstats);
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 8755a3079d0f..6cd625e37706 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -34,8 +34,10 @@ static int xfrm6_local_dontfrag(struct sk_buff *skb)
         struct sock *sk = skb->sk;
 
         if (sk) {
-                proto = sk->sk_protocol;
+                if (sk->sk_family != AF_INET6)
+                        return 0;
 
+                proto = sk->sk_protocol;
                 if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
                         return inet6_sk(sk)->dontfrag;
         }
@@ -54,13 +56,15 @@ static void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu)
         ipv6_local_rxpmtu(sk, &fl6, mtu);
 }
 
-static void xfrm6_local_error(struct sk_buff *skb, u32 mtu)
+void xfrm6_local_error(struct sk_buff *skb, u32 mtu)
 {
         struct flowi6 fl6;
+        const struct ipv6hdr *hdr;
         struct sock *sk = skb->sk;
 
+        hdr = skb->encapsulation ? inner_ipv6_hdr(skb) : ipv6_hdr(skb);
         fl6.fl6_dport = inet_sk(sk)->inet_dport;
-        fl6.daddr = ipv6_hdr(skb)->daddr;
+        fl6.daddr = hdr->daddr;
 
         ipv6_local_error(sk, EMSGSIZE, &fl6, mtu);
 }
@@ -80,7 +84,7 @@ static int xfrm6_tunnel_check_size(struct sk_buff *skb)
                 if (xfrm6_local_dontfrag(skb))
                         xfrm6_local_rxpmtu(skb, mtu);
                 else if (skb->sk)
-                        xfrm6_local_error(skb, mtu);
+                        xfrm_local_error(skb, mtu);
                 else
                         icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
                 ret = -EMSGSIZE;
@@ -136,13 +140,18 @@ static int __xfrm6_output(struct sk_buff *skb)
 {
         struct dst_entry *dst = skb_dst(skb);
         struct xfrm_state *x = dst->xfrm;
-        int mtu = ip6_skb_dst_mtu(skb);
+        int mtu;
+
+        if (skb->protocol == htons(ETH_P_IPV6))
+                mtu = ip6_skb_dst_mtu(skb);
+        else
+                mtu = dst_mtu(skb_dst(skb));
 
         if (skb->len > mtu && xfrm6_local_dontfrag(skb)) {
                 xfrm6_local_rxpmtu(skb, mtu);
                 return -EMSGSIZE;
         } else if (!skb->local_df && skb->len > mtu && skb->sk) {
-                xfrm6_local_error(skb, mtu);
+                xfrm_local_error(skb, mtu);
                 return -EMSGSIZE;
         }
 
diff --git a/net/ipv6/xfrm6_state.c b/net/ipv6/xfrm6_state.c
index d8c70b8efc24..3fc970135fc6 100644
--- a/net/ipv6/xfrm6_state.c
+++ b/net/ipv6/xfrm6_state.c
@@ -183,6 +183,7 @@ static struct xfrm_state_afinfo xfrm6_state_afinfo = {
         .extract_input          = xfrm6_extract_input,
         .extract_output         = xfrm6_extract_output,
         .transport_finish       = xfrm6_transport_finish,
+        .local_error            = xfrm6_local_error,
 };
 
 int __init xfrm6_state_init(void)