Message ID | 1392801176-2656-1-git-send-email-fan.du@windriver.com |
---|---|
State | Awaiting Upstream, archived |
Delegated to: | David Miller |
Headers | show |
On Wed, Feb 19, 2014 at 05:12:56PM +0800, Fan Du wrote: > > +#ifdef CONFIG_COMPAT > + > +struct compat_xfrm_userpolicy_info { > + struct xfrm_selector sel; > + struct xfrm_lifetime_cfg lft; > + struct xfrm_lifetime_cur curlft; > + __u32 priority; > + __u32 index; > + __u8 dir; > + __u8 action; > +#define XFRM_POLICY_ALLOW 0 > +#define XFRM_POLICY_BLOCK 1 > + __u8 flags; > +#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ > + /* Automatically expand selector to include matching ICMP payloads. */ > +#define XFRM_POLICY_ICMP 2 > + __u8 share; > +} __attribute__((packed)); > + > +struct compat_xfrm_usersa_info { > + struct xfrm_selector sel; > + struct xfrm_id id; > + xfrm_address_t saddr; > + struct xfrm_lifetime_cfg lft; > + struct xfrm_lifetime_cur curlft; > + struct xfrm_stats stats; > + __u32 seq; > + __u32 reqid; > + __u16 family; > + __u8 mode; /* XFRM_MODE_xxx */ > + __u8 replay_window; > + __u8 flags; > +#define XFRM_STATE_NOECN 1 > +#define XFRM_STATE_DECAP_DSCP 2 > +#define XFRM_STATE_NOPMTUDISC 4 > +#define XFRM_STATE_WILDRECV 8 > +#define XFRM_STATE_ICMP 16 > +#define XFRM_STATE_AF_UNSPEC 32 > +#define XFRM_STATE_ALIGN4 64 > +#define XFRM_STATE_ESN 128 > +} __attribute__((packed)); > + You define two structures that you actually don't use, all you do is checking their size. The only reason why this works is because these two structures differ only on some padding bytes at the end. If we want to support 32 bit ipsec tools on 64 bit kernels, we need a complete compat layer for all the userspace exported structures. A lot of userspace exported structures differ not only on some padding bytes at the end. For example the layout of xfrm_userspi_info: on 32 bit: struct xfrm_userspi_info { struct xfrm_usersa_info info; /* 0 220 */ /* XXX last struct has 3 bytes of padding */ /* --- cacheline 3 boundary (192 bytes) was 28 bytes ago --- */ __u32 min; /* 220 4 */ __u32 max; /* 224 4 */ /* size: 228, cachelines: 4, members: 3 */ /* paddings: 1, sum paddings: 3 */ /* last cacheline: 36 bytes */ }; on 64 bit: struct xfrm_userspi_info { struct xfrm_usersa_info info; /* 0 224 */ /* XXX last struct has 7 bytes of padding */ /* --- cacheline 3 boundary (192 bytes) was 32 bytes ago --- */ __u32 min; /* 224 4 */ __u32 max; /* 228 4 */ /* size: 232, cachelines: 4, members: 3 */ /* paddings: 1, sum paddings: 7 */ /* last cacheline: 40 bytes */ }; So the 'min' field has an offest of 220 bytes on 32 bit and an offset of 224 bytes on 64 bit. We would need a compatability layer like we have it for system calls to map this correct. For now I think we should just refuse to do anything if someone tries to configure ipsec with 32 bit tools on a 64 bit machine. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h index a8cd6a4..8d2fa8d 100644 --- a/include/uapi/linux/xfrm.h +++ b/include/uapi/linux/xfrm.h @@ -506,4 +506,48 @@ enum xfrm_nlgroups { }; #define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1) +#ifdef CONFIG_COMPAT + +struct compat_xfrm_userpolicy_info { + struct xfrm_selector sel; + struct xfrm_lifetime_cfg lft; + struct xfrm_lifetime_cur curlft; + __u32 priority; + __u32 index; + __u8 dir; + __u8 action; +#define XFRM_POLICY_ALLOW 0 +#define XFRM_POLICY_BLOCK 1 + __u8 flags; +#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ + /* Automatically expand selector to include matching ICMP payloads. */ +#define XFRM_POLICY_ICMP 2 + __u8 share; +} __attribute__((packed)); + +struct compat_xfrm_usersa_info { + struct xfrm_selector sel; + struct xfrm_id id; + xfrm_address_t saddr; + struct xfrm_lifetime_cfg lft; + struct xfrm_lifetime_cur curlft; + struct xfrm_stats stats; + __u32 seq; + __u32 reqid; + __u16 family; + __u8 mode; /* XFRM_MODE_xxx */ + __u8 replay_window; + __u8 flags; +#define XFRM_STATE_NOECN 1 +#define XFRM_STATE_DECAP_DSCP 2 +#define XFRM_STATE_NOPMTUDISC 4 +#define XFRM_STATE_WILDRECV 8 +#define XFRM_STATE_ICMP 16 +#define XFRM_STATE_AF_UNSPEC 32 +#define XFRM_STATE_ALIGN4 64 +#define XFRM_STATE_ESN 128 +} __attribute__((packed)); + +#endif + #endif /* _LINUX_XFRM_H */ diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 1ae3ec7..8bfbd95 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -2281,6 +2281,12 @@ static const int xfrm_msg_min[XFRM_NR_MSGTYPES] = { [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32), }; +static const int compat_xfrm_msg_min[XFRM_NR_MSGTYPES] = { + [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = XMSGSIZE(compat_xfrm_usersa_info), + [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = XMSGSIZE(compat_xfrm_userpolicy_info), + [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(compat_xfrm_userpolicy_info), +}; + #undef XMSGSIZE static const struct nla_policy xfrma_policy[XFRMA_MAX+1] = { @@ -2346,6 +2352,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct nlattr *attrs[XFRMA_MAX+1]; const struct xfrm_link *link; int type, err; + int len; type = nlh->nlmsg_type; if (type > XFRM_MSG_MAX) @@ -2373,7 +2380,14 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } } - err = nlmsg_parse(nlh, xfrm_msg_min[type], attrs, XFRMA_MAX, +#ifdef CONFIG_COMPAT + if (is_compat_task()) + len = compat_xfrm_msg_min[type]; + else +#endif + len = xfrm_msg_min[type]; + + err = nlmsg_parse(nlh, len, attrs, XFRMA_MAX, xfrma_policy); if (err < 0) return err;
When trying to setup IPsec configuration on a 64bits host with iproute2(32bits compiled), the intended xfrm policy and sa is either deficit or wrong when kernel trying to parse user land information. Add compat support for 32bits compiled ip command for 64bits host. Signed-off-by: Fan Du <fan.du@windriver.com> --- include/uapi/linux/xfrm.h | 44 ++++++++++++++++++++++++++++++++++++++++++++ net/xfrm/xfrm_user.c | 16 +++++++++++++++- 2 files changed, 59 insertions(+), 1 deletion(-)