Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says: ==================== pull request (net): ipsec 2015-03-16 1) Fix the network header offset in _decode_session6 when multiple IPv6 extension headers are present. From Hajime Tazaki. 2) Fix an interfamily tunnel crash. We set outer mode protocol too early and may dispatch to the wrong address family. Move the setting of the outer mode protocol behind the last accessing of the inner mode to fix the crash. 3) Most callers of xfrm_lookup() expect that dst_orig is released on error. But xfrm_lookup_route() may need dst_orig to handle certain error cases. So introduce a flag that tells what should be done in case of error. From Huaibin Wang. Please pull or let me know if there are problems. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2015-03-16 16:16:49 -0400
committer: David S. Miller <davem@davemloft.net> 2015-03-16 16:16:49 -0400
commit: ca00942a81bb5869131d53c411b34491233181ab (patch)
tree: 585c2f786d24403bb73fb71ee7bfd003ecd45f3a /net
parent: 10640d34552ccd8fabe7b15b0c4e3a102247952d (diff)
parent: ac37e2515c1a89c477459a2020b6bfdedabdb91b (diff)
4 files changed, 9 insertions, 8 deletions
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index d5f6bd9a210a..dab73813cb92 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -63,6 +63,7 @@ int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
                return err;
        IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE;
+        skb->protocol = htons(ETH_P_IP);
        return x->outer_mode->output2(x, skb);
 }
@@ -71,7 +72,6 @@ EXPORT_SYMBOL(xfrm4_prepare_output);
 int xfrm4_output_finish(struct sk_buff *skb)
 {
        memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
-        skb->protocol = htons(ETH_P_IP);
 #ifdef CONFIG_NETFILTER
        IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index ca3f29b98ae5..010f8bd2d577 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -114,6 +114,7 @@ int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
                return err;
        skb->ignore_df = 1;
+        skb->protocol = htons(ETH_P_IPV6);
        return x->outer_mode->output2(x, skb);
 }
@@ -122,7 +123,6 @@ EXPORT_SYMBOL(xfrm6_prepare_output);
 int xfrm6_output_finish(struct sk_buff *skb)
 {
        memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
-        skb->protocol = htons(ETH_P_IPV6);
 #ifdef CONFIG_NETFILTER
        IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 48bf5a06847b..8d2d01b4800a 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -200,6 +200,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
 #if IS_ENABLED(CONFIG_IPV6_MIP6)
                case IPPROTO_MH:
+                        offset += ipv6_optlen(exthdr);
                        if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) {
                                struct ip6_mh *mh;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index cee479bc655c..638af0655aaf 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2269,11 +2269,9 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
                 * have the xfrm_state's. We need to wait for KM to
                 * negotiate new SA's or bail out with error.*/
                if (net->xfrm.sysctl_larval_drop) {
-                        dst_release(dst);
-                        xfrm_pols_put(pols, drop_pols);
                        XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
+                        err = -EREMOTE;
-                        return ERR_PTR(-EREMOTE);
+                        goto error;
                }
                err = -EAGAIN;
@@ -2324,7 +2322,8 @@ nopol:
 error:
        dst_release(dst);
 dropdst:
-        dst_release(dst_orig);
+        if (!(flags & XFRM_LOOKUP_KEEP_DST_REF))
+                dst_release(dst_orig);
        xfrm_pols_put(pols, drop_pols);
        return ERR_PTR(err);
 }
@@ -2338,7 +2337,8 @@ struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig,
                                    struct sock *sk, int flags)
 {
        struct dst_entry *dst = xfrm_lookup(net, dst_orig, fl, sk,
-                                            flags | XFRM_LOOKUP_QUEUE);
+                                            flags | XFRM_LOOKUP_QUEUE |
+                                            XFRM_LOOKUP_KEEP_DST_REF);
        if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
                return make_blackhole(net, dst_orig->ops->family, dst_orig);
author	David S. Miller <davem@davemloft.net>	2015-03-16 16:16:49 -0400
committer	David S. Miller <davem@davemloft.net>	2015-03-16 16:16:49 -0400
commit	ca00942a81bb5869131d53c411b34491233181ab (patch)
tree	585c2f786d24403bb73fb71ee7bfd003ecd45f3a /net
parent	10640d34552ccd8fabe7b15b0c4e3a102247952d (diff)
parent	ac37e2515c1a89c477459a2020b6bfdedabdb91b (diff)

diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c index d5f6bd9a210a..dab73813cb92 100644 --- a/net/ipv4/xfrm4_output.c +++ b/net/ipv4/xfrm4_output.c
@@ -63,6 +63,7 @@ int xfrm4_prepare_output(struct xfrm_state x, struct sk_buff skb)
63	return err;	63	return err;
64		64
65	IPCB(skb)->flags \|= IPSKB_XFRM_TUNNEL_SIZE;	65	IPCB(skb)->flags \|= IPSKB_XFRM_TUNNEL_SIZE;
		66	skb->protocol = htons(ETH_P_IP);
66		67
67	return x->outer_mode->output2(x, skb);	68	return x->outer_mode->output2(x, skb);
68	}	69	}
@@ -71,7 +72,6 @@ EXPORT_SYMBOL(xfrm4_prepare_output);
71	int xfrm4_output_finish(struct sk_buff *skb)	72	int xfrm4_output_finish(struct sk_buff *skb)
72	{	73	{
73	memset(IPCB(skb), 0, sizeof(*IPCB(skb)));	74	memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
74	skb->protocol = htons(ETH_P_IP);
75		75
76	#ifdef CONFIG_NETFILTER	76	#ifdef CONFIG_NETFILTER
77	IPCB(skb)->flags \|= IPSKB_XFRM_TRANSFORMED;	77	IPCB(skb)->flags \|= IPSKB_XFRM_TRANSFORMED;


diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c index ca3f29b98ae5..010f8bd2d577 100644 --- a/net/ipv6/xfrm6_output.c +++ b/net/ipv6/xfrm6_output.c
@@ -114,6 +114,7 @@ int xfrm6_prepare_output(struct xfrm_state x, struct sk_buff skb)
114	return err;	114	return err;
115		115
116	skb->ignore_df = 1;	116	skb->ignore_df = 1;
		117	skb->protocol = htons(ETH_P_IPV6);
117		118
118	return x->outer_mode->output2(x, skb);	119	return x->outer_mode->output2(x, skb);
119	}	120	}
@@ -122,7 +123,6 @@ EXPORT_SYMBOL(xfrm6_prepare_output);
122	int xfrm6_output_finish(struct sk_buff *skb)	123	int xfrm6_output_finish(struct sk_buff *skb)
123	{	124	{
124	memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));	125	memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
125	skb->protocol = htons(ETH_P_IPV6);
126		126
127	#ifdef CONFIG_NETFILTER	127	#ifdef CONFIG_NETFILTER
128	IP6CB(skb)->flags \|= IP6SKB_XFRM_TRANSFORMED;	128	IP6CB(skb)->flags \|= IP6SKB_XFRM_TRANSFORMED;


diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index 48bf5a06847b..8d2d01b4800a 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c
@@ -200,6 +200,7 @@ _decode_session6(struct sk_buff skb, struct flowi fl, int reverse)
200		200
201	#if IS_ENABLED(CONFIG_IPV6_MIP6)	201	#if IS_ENABLED(CONFIG_IPV6_MIP6)
202	case IPPROTO_MH:	202	case IPPROTO_MH:
		203	offset += ipv6_optlen(exthdr);
203	if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) {	204	if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) {
204	struct ip6_mh *mh;	205	struct ip6_mh *mh;
205		206


diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index cee479bc655c..638af0655aaf 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c
@@ -2269,11 +2269,9 @@ struct dst_entry xfrm_lookup(struct net net, struct dst_entry *dst_orig,
2269	* have the xfrm_state's. We need to wait for KM to	2269	* have the xfrm_state's. We need to wait for KM to
2270	* negotiate new SA's or bail out with error.*/	2270	* negotiate new SA's or bail out with error.*/
2271	if (net->xfrm.sysctl_larval_drop) {	2271	if (net->xfrm.sysctl_larval_drop) {
2272	dst_release(dst);
2273	xfrm_pols_put(pols, drop_pols);
2274	XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);	2272	XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
2275		2273	err = -EREMOTE;
2276	return ERR_PTR(-EREMOTE);	2274	goto error;
2277	}	2275	}
2278		2276
2279	err = -EAGAIN;	2277	err = -EAGAIN;
@@ -2324,7 +2322,8 @@ nopol:
2324	error:	2322	error:
2325	dst_release(dst);	2323	dst_release(dst);
2326	dropdst:	2324	dropdst:
2327	dst_release(dst_orig);	2325	if (!(flags & XFRM_LOOKUP_KEEP_DST_REF))
		2326	dst_release(dst_orig);
2328	xfrm_pols_put(pols, drop_pols);	2327	xfrm_pols_put(pols, drop_pols);
2329	return ERR_PTR(err);	2328	return ERR_PTR(err);
2330	}	2329	}
@@ -2338,7 +2337,8 @@ struct dst_entry xfrm_lookup_route(struct net net, struct dst_entry *dst_orig,
2338	struct sock *sk, int flags)	2337	struct sock *sk, int flags)
2339	{	2338	{
2340	struct dst_entry *dst = xfrm_lookup(net, dst_orig, fl, sk,	2339	struct dst_entry *dst = xfrm_lookup(net, dst_orig, fl, sk,
2341	flags \| XFRM_LOOKUP_QUEUE);	2340	flags \| XFRM_LOOKUP_QUEUE \|
		2341	XFRM_LOOKUP_KEEP_DST_REF);
2342		2342
2343	if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)	2343	if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
2344	return make_blackhole(net, dst_orig->ops->family, dst_orig);	2344	return make_blackhole(net, dst_orig->ops->family, dst_orig);