1. 27 Apr, 2017 1 commit
  2. 15 Feb, 2017 4 commits
  3. 09 Feb, 2017 1 commit
  4. 30 Jan, 2017 1 commit
  5. 11 Aug, 2016 1 commit
    • Alexey Kodanev's avatar
      net/xfrm_input: fix possible NULL deref of tunnel.ip6->parms.i_key · 1625f452
      Alexey Kodanev authored
      Running LTP 'icmp-uni-basic.sh -6 -p ipcomp -m tunnel' test over
      openvswitch + veth can trigger kernel panic:
      
        BUG: unable to handle kernel NULL pointer dereference
        at 00000000000000e0 IP: [<ffffffff8169d1d2>] xfrm_input+0x82/0x750
        ...
        [<ffffffff816d472e>] xfrm6_rcv_spi+0x1e/0x20
        [<ffffffffa082c3c2>] xfrm6_tunnel_rcv+0x42/0x50 [xfrm6_tunnel]
        [<ffffffffa082727e>] tunnel6_rcv+0x3e/0x8c [tunnel6]
        [<ffffffff8169f365>] ip6_input_finish+0xd5/0x430
        [<ffffffff8169fc53>] ip6_input+0x33/0x90
        [<ffffffff8169f1d5>] ip6_rcv_finish+0xa5/0xb0
        ...
      
      It seems that tunnel.ip6 can have garbage values and also dereferenced
      without a proper check, only tunnel.ip4 is being verified. Fix it by
      adding one more if block for AF_INET6 and initialize tunnel.ip6 with NULL
      inside xfrm6_rcv_spi() (which is similar to xfrm4_rcv_spi()).
      
      Fixes: 049f8e2e
      
       ("xfrm: Override skb->mark with tunnel->parm.i_key in xfrm_input")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      1625f452
  6. 24 Mar, 2016 1 commit
    • subashab@codeaurora.org's avatar
      xfrm: Fix crash observed during device unregistration and decryption · 071d36bf
      subashab@codeaurora.org authored
      A crash is observed when a decrypted packet is processed in receive
      path. get_rps_cpus() tries to dereference the skb->dev fields but it
      appears that the device is freed from the poison pattern.
      
      [<ffffffc000af58ec>] get_rps_cpu+0x94/0x2f0
      [<ffffffc000af5f94>] netif_rx_internal+0x140/0x1cc
      [<ffffffc000af6094>] netif_rx+0x74/0x94
      [<ffffffc000bc0b6c>] xfrm_input+0x754/0x7d0
      [<ffffffc000bc0bf8>] xfrm_input_resume+0x10/0x1c
      [<ffffffc000ba6eb8>] esp_input_done+0x20/0x30
      [<ffffffc0000b64c8>] process_one_work+0x244/0x3fc
      [<ffffffc0000b7324>] worker_thread+0x2f8/0x418
      [<ffffffc0000bb40c>] kthread+0xe0/0xec
      
      -013|get_rps_cpu(
           |    dev = 0xFFFFFFC08B688000,
           |    skb = 0xFFFFFFC0C76AAC00 -> (
           |      dev = 0xFFFFFFC08B688000 -> (
           |        name =
      "......................................................
           |        name_hlist = (next = 0xAAAAAAAAAAAAAAAA, pprev =
      0xAAAAAAAAAAA
      
      Following are the sequence of events observed -
      
      - En...
      071d36bf
  7. 23 Oct, 2015 1 commit
  8. 28 May, 2015 1 commit
  9. 24 Apr, 2015 1 commit
  10. 23 Apr, 2015 1 commit
  11. 07 Apr, 2015 1 commit
    • Alexey Dobriyan's avatar
      xfrm: fix xfrm_input/xfrm_tunnel_check oops · 68c11e98
      Alexey Dobriyan authored
      https://bugzilla.kernel.org/show_bug.cgi?id=95211
      
      Commit 70be6c91
      
      
      ("xfrm: Add xfrm_tunnel_skb_cb to the skb common buffer") added check
      which dereferences ->outer_mode too early but larval SAs don't have
      this pointer set (yet). So check for tunnel stuff later.
      
      Mike Noordermeer reported this bug and patiently applied all the debugging.
      
      Technically this is remote-oops-in-interrupt-context type of thing.
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000034
      IP: [<ffffffff8150dca2>] xfrm_input+0x3c2/0x5a0
      	...
      [<ffffffff81500fc6>] ? xfrm4_esp_rcv+0x36/0x70
      [<ffffffff814acc9a>] ? ip_local_deliver_finish+0x9a/0x200
      [<ffffffff81471b83>] ? __netif_receive_skb_core+0x6f3/0x8f0
      	...
      
      RIP  [<ffffffff8150dca2>] xfrm_input+0x3c2/0x5a0
      Kernel panic - not syncing: Fatal exception in interrupt
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      68c11e98
  12. 14 Mar, 2014 1 commit
  13. 25 Feb, 2014 2 commits
  14. 02 Jan, 2014 1 commit
  15. 06 Jun, 2013 1 commit
    • Fan Du's avatar
      xfrm: add LINUX_MIB_XFRMACQUIREERROR statistic counter · 4c4d41f2
      Fan Du authored
      
      
      When host ping its peer, ICMP echo request packet triggers IPsec
      policy, then host negotiates SA secret with its peer. After IKE
      installed SA for OUT direction, but before SA for IN direction
      installed, host get ICMP echo reply from its peer. At the time
      being, the SA state for IN direction could be XFRM_STATE_ACQ,
      then the received packet will be dropped after adding
      LINUX_MIB_XFRMINSTATEINVALID statistic.
      
      Adding a LINUX_MIB_XFRMACQUIREERROR statistic counter for such
      scenario when SA in larval state is much clearer for user than
      LINUX_MIB_XFRMINSTATEINVALID which indicates the SA is totally
      bad.
      Signed-off-by: default avatarFan Du <fan.du@windriver.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      4c4d41f2
  16. 04 Sep, 2012 1 commit
  17. 21 Sep, 2011 1 commit
  18. 29 Mar, 2011 1 commit
  19. 28 Mar, 2011 1 commit
  20. 14 Mar, 2011 3 commits
  21. 23 Feb, 2010 1 commit
  22. 03 Jun, 2009 1 commit
  23. 19 Dec, 2008 1 commit
  24. 04 Dec, 2008 1 commit
  25. 26 Nov, 2008 3 commits
  26. 24 Mar, 2008 1 commit
  27. 13 Feb, 2008 1 commit
  28. 01 Feb, 2008 2 commits
  29. 28 Jan, 2008 3 commits