From patchwork Mon Jul 12 07:01:23 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Timo Teras X-Patchwork-Id: 58575 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 2B4C5B6F44 for ; Mon, 12 Jul 2010 17:01:36 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754486Ab0GLHBc (ORCPT ); Mon, 12 Jul 2010 03:01:32 -0400 Received: from mail-ew0-f46.google.com ([209.85.215.46]:45801 "EHLO mail-ew0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754078Ab0GLHBb (ORCPT ); Mon, 12 Jul 2010 03:01:31 -0400 Received: by ewy23 with SMTP id 23so738785ewy.19 for ; Mon, 12 Jul 2010 00:01:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=gkYPHryRoAcnoB9NeHCimxT1sEJ1LVbY9K0UM2WjCrc=; b=b6sGW9bkFpAKDMTOUEXcGbR1k6GN7fkl8YN625JqUEE/Zc47si/qNiRrCqMTygcKPl kem2nXl7sW66hxW/yGBpjRz0h+vK6jTKAy5TeXHnD44Jrz92CdJ7rHMkyUW2hcmvecJk ygKvGqj7CgGx5TdEKNQpEtu+zKaF2JCi7U41g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=Zs6uC2FBtmIUtLoiURMjS99k/H9z1mXmDjuQwV4WMry2/BnLaWt/OWBWCx8X0d7Nde WYvDaO6tp3aBsJ3RxCda3Q/IH3n17T8mzgIx0Jq+6qAMRMqA0bBwSk8xeBKgptHfrF+v AoehCEDuCB26UrkqQ9aEmppEzN4rseBee7Dlw= Received: by 10.213.21.194 with SMTP id k2mr4418561ebb.49.1278918088687; Mon, 12 Jul 2010 00:01:28 -0700 (PDT) Received: from [10.26.34.4] (letku109.adsl.netsonic.fi [194.29.195.109]) by mx.google.com with ESMTPS id a48sm34510814eei.0.2010.07.12.00.01.27 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 12 Jul 2010 00:01:27 -0700 (PDT) Message-ID: <4C3ABDC3.3000408@iki.fi> Date: Mon, 12 Jul 2010 10:01:23 +0300 From: =?ISO-8859-1?Q?Timo_Ter=E4s?= User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100527 Thunderbird/3.0.5 MIME-Version: 1.0 To: George Spelvin CC: davem@davemloft.net, netdev@vger.kernel.org Subject: Re: [REGRESSION,BISECTED] Panic on ifup References: <20100711170908.5770.qmail@science.horizon.com> In-Reply-To: <20100711170908.5770.qmail@science.horizon.com> X-Enigmail-Version: 1.0.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On 07/11/2010 08:09 PM, George Spelvin wrote: >> On 07/11/2010 03:38 PM, George Spelvin wrote: >>> No, although /etc/ipec-tools.conf runs setkey. As I said, >>> I was mostly running in single-user mode; a ps axf >>> output is appended. >>> >>> Ah! A discovery! There are rules for the gateway! >>> >>> add esp 0x200 -E aes-cbc >>> ; >>> add esp 0x300 -E aes-cbc >>> ; >>> spdadd any -P in ipsec >>> esp/transport//use; >>> spdadd any -P out ipsec >>> esp/transport//use; > >> This means optional encryption. Probably something goes wrong >> constructing the bundle which results in encryption not being applied. >> And it would look like xfrm_resolve_and_create_bundle() does not take >> this into account properly. I need to fix it with optional policies. >> >> In the mean while, could confirm if everything works if you change the >> last line to: >> esp/transport//require; > > Will do. > > This might lead to no traffic if there's something else broken, however > it should not crash. This change is needed only for the 'out' policy, as > the bundles are used only on xmit code paths. > >> yup, xfrm_resolve_and_create_bundle looks to be the culprit. I'll try to >> figure out a patch for testing. Can you try the patch attached to end? >> Ok, this is basically what setkey did for you. Looks like it was ran >> twice and you are missing flush and spdflush from setkey, so you get >> duplicates here. Otherwise it's ok. > > Um, I am *not* missing flush and spdflush. The entire file, with comments > and blank lines stripped, and some details censored, is: > > #!/usr/sbin/setkey -f > flush; > spdflush; > add $LOCALNET.1 $LOCALNET.62 esp 0x200 -E aes-cbc ; > add $LOCALNET.62 $LOCALNET.1 esp 0x300 -E aes-cbc ; > add $LOCALNET.3 $LOCALNET.62 esp 0x400 -E aes-cbc ; > add $LOCALNET.62 $LOCALNET.3 esp 0x500 -E aes-cbc ; > spdadd $LOCALNET.1 $LOCALNET.62 any -P in ipsec esp/transport//use; > spdadd $LOCALNET.62 $LOCALNET.1 any -P out ipsec esp/transport//use; > spdadd $LOCALNET.3 $LOCALNET.62 any -P in ipsec esp/transport//use; > spdadd $LOCALNET.62 $LOCALNET.3 any -P out ipsec esp/transport//use; Ah, ok. Did not bother to double check the related IPs as I thought it was full ipsec.conf. Everything is okay then. And here goes the patch (which I've only compile tested so far). if (IS_ERR(dst)) { @@ -1678,6 +1679,13 @@ xfrm_bundle_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir, goto make_dummy_bundle; dst_hold(&xdst->u.dst); return oldflo; + } else if (new_xdst == NULL) { + num_xfrms = 0; + if (oldflo == NULL) + goto make_dummy_bundle; + xdst->num_xfrms = 0; + dst_hold(&xdst->u.dst); + return oldflo; } /* Kill the previous bundle */ @@ -1760,6 +1768,10 @@ restart: xfrm_pols_put(pols, num_pols); err = PTR_ERR(xdst); goto dropdst; + } else if (xdst == NULL) { + num_xfrms = 0; + drop_pols = num_pols; + goto no_transform; } spin_lock_bh(&xfrm_policy_sk_bundle_lock); Tested-by: George Spelvin --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index af1c173..200f8d7 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1598,7 +1598,8 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols, if (err != -EAGAIN) XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR); return ERR_PTR(err); - } + } else if (err == 0) + return NULL; dst = xfrm_bundle_create(pols[0], xfrm, err, fl, dst_orig);