[net-next] xfrm: Correctly parse netlink msg from 32bits ip command on 64bits host

When trying to setup IPsec configuration on a 64bits host with
iproute2(32bits compiled), the intended xfrm policy and sa is
either deficit or wrong when kernel trying to parse user land
information.

Add compat support for 32bits compiled ip command for 64bits host.

Signed-off-by: Fan Du <fan.du@windriver.com>
---
 include/uapi/linux/xfrm.h |   44 ++++++++++++++++++++++++++++++++++++++++++++
 net/xfrm/xfrm_user.c      |   16 +++++++++++++++-
 2 files changed, 59 insertions(+), 1 deletion(-)

On Wed, Feb 19, 2014 at 05:12:56PM +0800, Fan Du wrote:
>  
> +#ifdef CONFIG_COMPAT
> +
> +struct compat_xfrm_userpolicy_info {
> +	struct xfrm_selector		sel;
> +	struct xfrm_lifetime_cfg	lft;
> +	struct xfrm_lifetime_cur	curlft;
> +	__u32				priority;
> +	__u32				index;
> +	__u8				dir;
> +	__u8				action;
> +#define XFRM_POLICY_ALLOW	0
> +#define XFRM_POLICY_BLOCK	1
> +	__u8				flags;
> +#define XFRM_POLICY_LOCALOK	1	/* Allow user to override global policy */
> +	/* Automatically expand selector to include matching ICMP payloads. */
> +#define XFRM_POLICY_ICMP	2
> +	__u8				share;
> +} __attribute__((packed));
> +
> +struct compat_xfrm_usersa_info {
> +	struct xfrm_selector		sel;
> +	struct xfrm_id			id;
> +	xfrm_address_t			saddr;
> +	struct xfrm_lifetime_cfg	lft;
> +	struct xfrm_lifetime_cur	curlft;
> +	struct xfrm_stats		stats;
> +	__u32				seq;
> +	__u32				reqid;
> +	__u16				family;
> +	__u8				mode;		/* XFRM_MODE_xxx */
> +	__u8				replay_window;
> +	__u8				flags;
> +#define XFRM_STATE_NOECN	1
> +#define XFRM_STATE_DECAP_DSCP	2
> +#define XFRM_STATE_NOPMTUDISC	4
> +#define XFRM_STATE_WILDRECV	8
> +#define XFRM_STATE_ICMP		16
> +#define XFRM_STATE_AF_UNSPEC	32
> +#define XFRM_STATE_ALIGN4	64
> +#define XFRM_STATE_ESN		128
> +} __attribute__((packed));
> +

You define two structures that you actually don't use,
all you do is checking their size.

The only reason why this works is because these two
structures differ only on some padding bytes at the
end. If we want to support 32 bit ipsec tools on
64 bit kernels, we need a complete compat layer
for all the userspace exported structures.

A lot of userspace exported structures differ not only
on some padding bytes at the end.

For example the layout of xfrm_userspi_info:

on 32 bit:

struct xfrm_userspi_info {
        struct xfrm_usersa_info    info;                 /*     0   220 */

        /* XXX last struct has 3 bytes of padding */

        /* --- cacheline 3 boundary (192 bytes) was 28 bytes ago --- */
        __u32                      min;                  /*   220     4 */
        __u32                      max;                  /*   224     4 */

        /* size: 228, cachelines: 4, members: 3 */
        /* paddings: 1, sum paddings: 3 */
        /* last cacheline: 36 bytes */
};

on 64 bit:

struct xfrm_userspi_info {
        struct xfrm_usersa_info    info;                 /*     0   224 */

        /* XXX last struct has 7 bytes of padding */

        /* --- cacheline 3 boundary (192 bytes) was 32 bytes ago --- */
        __u32                      min;                  /*   224     4 */
        __u32                      max;                  /*   228     4 */

        /* size: 232, cachelines: 4, members: 3 */
        /* paddings: 1, sum paddings: 7 */
        /* last cacheline: 40 bytes */
};


So the 'min' field has an offest of 220 bytes on 32 bit and an offset
of 224 bytes on 64 bit. We would need a compatability layer like we
have it for system calls to map this correct.

For now I think we should just refuse to do anything if someone tries
to configure ipsec with 32 bit tools on a 64 bit machine.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html