Message ID | 20200717083427.GA20687@gauss3.secunet.de |
---|---|
State | RFC |
Delegated to: | David Miller |
Headers | show |
Series | [RFC,ipsec] xfrm: Fix crash when the hold queue is used. | expand |
On Fri, Jul 17, 2020 at 10:34:27AM +0200, Steffen Klassert wrote: > The commits "xfrm: Move dst->path into struct xfrm_dst" > and "net: Create and use new helper xfrm_dst_child()." > changed xfrm bundle handling under the assumption > that xdst->path and dst->child are not a NULL pointer > only if dst->xfrm is not a NULL pointer. That is true > with one exception. If the xfrm hold queue is used > to wait until a SA is installed by the key manager, > we create a dummy bundle without a valid dst->xfrm > pointer. The current xfrm bundle handling crashes > in that case. Fix this by extending the NULL check > of dst->xfrm with a test of the DST_XFRM_QUEUE flag. > > Fixes: 0f6c480f23f4 ("xfrm: Move dst->path into struct xfrm_dst") > Fixes: b92cf4aab8e6 ("net: Create and use new helper xfrm_dst_child().") > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Now applied to the ipsec tree.
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 5c20953c8deb..51f65d23ebaf 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -941,7 +941,7 @@ struct xfrm_dst { static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst) { #ifdef CONFIG_XFRM - if (dst->xfrm) { + if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst; return xdst->path; @@ -953,7 +953,7 @@ static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst) static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst) { #ifdef CONFIG_XFRM - if (dst->xfrm) { + if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { struct xfrm_dst *xdst = (struct xfrm_dst *) dst; return xdst->child; }
The commits "xfrm: Move dst->path into struct xfrm_dst" and "net: Create and use new helper xfrm_dst_child()." changed xfrm bundle handling under the assumption that xdst->path and dst->child are not a NULL pointer only if dst->xfrm is not a NULL pointer. That is true with one exception. If the xfrm hold queue is used to wait until a SA is installed by the key manager, we create a dummy bundle without a valid dst->xfrm pointer. The current xfrm bundle handling crashes in that case. Fix this by extending the NULL check of dst->xfrm with a test of the DST_XFRM_QUEUE flag. Fixes: 0f6c480f23f4 ("xfrm: Move dst->path into struct xfrm_dst") Fixes: b92cf4aab8e6 ("net: Create and use new helper xfrm_dst_child().") Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> --- include/net/xfrm.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)