From patchwork Mon Mar 21 05:45:39 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wei Yongjun X-Patchwork-Id: 87686 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id B4AD3B6F7B for ; Mon, 21 Mar 2011 16:45:18 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752840Ab1CUFpN (ORCPT ); Mon, 21 Mar 2011 01:45:13 -0400 Received: from cn.fujitsu.com ([222.73.24.84]:54332 "EHLO song.cn.fujitsu.com" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1752786Ab1CUFpL (ORCPT ); Mon, 21 Mar 2011 01:45:11 -0400 Received: from tang.cn.fujitsu.com (tang.cn.fujitsu.com [10.167.250.3]) by song.cn.fujitsu.com (Postfix) with ESMTP id CD9E7170091; Mon, 21 Mar 2011 13:45:09 +0800 (CST) Received: from mailserver.fnst.cn.fujitus.com (tang.cn.fujitsu.com [127.0.0.1]) by tang.cn.fujitsu.com (8.14.3/8.13.1) with ESMTP id p2L5d47E027742; Mon, 21 Mar 2011 13:39:04 +0800 Received: from [10.167.226.141] ([10.167.226.141]) by mailserver.fnst.cn.fujitus.com (Lotus Domino Release 8.5.1FP4) with ESMTP id 2011032113434634-60145 ; Mon, 21 Mar 2011 13:43:46 +0800 Message-ID: <4D86E603.8080704@cn.fujitsu.com> Date: Mon, 21 Mar 2011 13:45:39 +0800 From: Wei Yongjun User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7 MIME-Version: 1.0 To: "netdev@vger.kernel.org" , David Miller , Steffen Klassert Subject: xfrm: Fix initialize repl field of struct xfrm_state X-MIMETrack: Itemize by SMTP Server on mailserver/fnst(Release 8.5.1FP4|July 25, 2010) at 2011-03-21 13:43:46, Serialize by Router on mailserver/fnst(Release 8.5.1FP4|July 25, 2010) at 2011-03-21 13:43:46, Serialize complete at 2011-03-21 13:43:46 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Commit 'xfrm: Move IPsec replay detection functions to a separate file' (9fdc4883d92d20842c5acea77a4a21bb1574b495) introduce repl field to struct xfrm_state, and only initialize it under SA's netlink create path, the other path, such as pf_key, the repl field remaining uninitialize. So if the SA is created by pf_key, any input packet with SA's encryption algorithm will cause panic. int xfrm_input() { ... x->repl->advance(x, seq); ... } This patch fixed to init default xfrm_replay in xfrm_init_state(). Pid: 0, comm: swapper Not tainted 2.6.38-next+ #14 Bochs Bochs EIP: 0060:[] EFLAGS: 00010206 CPU: 0 EIP is at xfrm_input+0x31c/0x4cc EAX: dd839c00 EBX: 00000084 ECX: 00000000 EDX: 01000000 ESI: dd839c00 EDI: de3a0780 EBP: dec1de88 ESP: dec1de64 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Process swapper (pid: 0, ti=dec1c000 task=c09c0f20 task.ti=c0992000) Stack: 00000000 00000000 00000002 c0ba27c0 00100000 01000000 de3a0798 c0ba27c0 00000033 dec1de98 c0786848 00000000 de3a0780 dec1dea4 c0786868 00000000 dec1debc c074ee56 e1da6b8c de3a0780 c074ed44 de3a07a8 dec1decc c074ef32 Call Trace: [] xfrm4_rcv_encap+0x22/0x27 [] xfrm4_rcv+0x1b/0x1d [] ip_local_deliver_finish+0x112/0x1b1 [] ? ip_local_deliver_finish+0x0/0x1b1 [] NF_HOOK.clone.1+0x3d/0x44 [] ip_local_deliver+0x3e/0x44 [] ? ip_local_deliver_finish+0x0/0x1b1 [] ip_rcv_finish+0x30a/0x332 [] ? ip_rcv_finish+0x0/0x332 [] NF_HOOK.clone.1+0x3d/0x44 [] ip_rcv+0x20b/0x247 [] ? ip_rcv_finish+0x0/0x332 [] __netif_receive_skb+0x373/0x399 [] netif_receive_skb+0x4b/0x51 [] cp_rx_poll+0x210/0x2c4 [8139cp] [] net_rx_action+0x9a/0x17d [] __do_softirq+0xa1/0x149 [] ? __do_softirq+0x0/0x149 Signed-off-by: Wei Yongjun --- net/xfrm/xfrm_state.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index d575f05..4274e11 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -1980,6 +1980,10 @@ int xfrm_init_state(struct xfrm_state *x) if (x->outer_mode == NULL) goto error; + err = xfrm_init_replay(x); + if (err) + goto error; + x->km.state = XFRM_STATE_VALID; error: