From patchwork Tue Oct 24 15:10:29 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: avivh@mellanox.com X-Patchwork-Id: 829928 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=Mellanox.com header.i=@Mellanox.com header.b="mUTiiQ51"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3yLxYK0fyYz9t2c for ; Wed, 25 Oct 2017 02:11:01 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751864AbdJXPK7 (ORCPT ); Tue, 24 Oct 2017 11:10:59 -0400 Received: from mail-ve1eur01on0069.outbound.protection.outlook.com ([104.47.1.69]:35072 "EHLO EUR01-VE1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932397AbdJXPKx (ORCPT ); Tue, 24 Oct 2017 11:10:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Mellanox.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=gggQS/k5xA4+/yhqJO108+PSg1m4I4Kf35Gxd7VI5ck=; b=mUTiiQ51uG9u3g5T2nwcTIGxWp+T49CbfpgiVmwe40JNandpJNRqzbfeEP3FPsEs6Fk27qsU0mc1HQFYPC9qzu9Ij7va2eTx5Bl8wmIJpRcs6BoFpYdtmUq7b1CGmNV5cjCgUYcTuntQrEVsMuFfSVPVKaakPATA7xoVqI2CE1k= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=avivh@mellanox.com; Received: from mellanox.com (82.166.227.17) by DB6PR05MB3142.eurprd05.prod.outlook.com (2603:10a6:6:1a::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.156.4; Tue, 24 Oct 2017 15:10:47 +0000 From: avivh@mellanox.com To: Steffen Klassert , Herbert Xu Cc: Boris Pismenny , Yossi Kuperman , Yevgeny Kliteynik , netdev@vger.kernel.org, Aviv Heller Subject: [PATCH net-next 1/3] xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0) Date: Tue, 24 Oct 2017 18:10:29 +0300 Message-Id: <1508857831-55824-1-git-send-email-avivh@mellanox.com> X-Mailer: git-send-email 1.8.3.1 MIME-Version: 1.0 X-Originating-IP: [82.166.227.17] X-ClientProxiedBy: VI1PR0801CA0084.eurprd08.prod.outlook.com (2603:10a6:800:7d::28) To DB6PR05MB3142.eurprd05.prod.outlook.com (2603:10a6:6:1a::16) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6ab9cf23-b042-46cf-69a1-08d51af16870 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199); SRVR:DB6PR05MB3142; X-Microsoft-Exchange-Diagnostics: 1; DB6PR05MB3142; 3:HguFWH9Y1l8HJoLJU306//PXUUIr9xIiq0EnM1AZyOhCEglRKiII8A12514LHQenFnuxhLtb/Qxg4UWqZ9ORz62L0rDAjYpMCXlXloC247hHkT7WEg5CSgSgTEaObdJxAjzC9sl5ZYu6BJZM8krQaID45aCy0Wfqlrz+VTTN61GSMan5rWnMNIKgGoHBbQL2PE1x/ZuLYCdfAy6V+g10UrLsdGZzT1Kv69aCIjHbCHkdE9g+Aw0taP+KCv2aF08M; 25:TsrVFDMCTFoc0nCKGW6As5CeNCdW1R2yXfmCCm3GCqI4FibRtPmRKOtzXBdAGtaWaj89cAVka8SiS7S6HewVKg0zq3I27nWM7Wg5XYHrTNdCZU2gtQfa/AodKTssJ1cm0LPV35QwMD3nZHMq7NhEhBziOSaNxnPTsNa574ClEAeh04scbdNV8GxpXehzZ1XciDxrOjqgPQFDqJnPcqI2tFaP0YR4VQepqxDju+EbWZG8VA0qKXqbXQEa/vUeBNu2H8sdcDwzf6b0HZAAXNg5gajqB8+Duo54Q//PY8MIi+BReVucqJo5Tii9xv8K8kq5MlRcD877aruaVQ4SCK3tiA==; 31:bUfhja14kOrqCc7d1VUmqEa3s86awA/ORgZNH704WRNBQKGQ6IY1AhClYUSZk6br/Ji/lX7Kcd/QOh12Se3XvrBcl4A/i155167NpR8Vlv0z88/cH6buqc3Fsl7bTa50xrjIjS8nEfKSuJwXjUSzHRSXcIJRDf30Dxc5RotiRtmSyyhKq5FSpzBx781o4uklveeqqbGi1Gmg+jqp6Z2DL06fTpKcoF6yVya9qVtov0o= X-MS-TrafficTypeDiagnostic: DB6PR05MB3142: X-Microsoft-Exchange-Diagnostics: 1; DB6PR05MB3142; 20:9YF89B9AGCJPlwWSZ446u9FG35Ed7bECX9vIzTU7pNLSMCOy6aQ29Pvcc5lBVqh6DFj6UtW8u6KpdSADDhEsDO0f31UeD1hzhmKHuxMJiKz4yex0EEcp5vrIEiBfBnE+4BgnC1RULMNJSmVMvjyHF8sPdCBF/+v8xFxdu1pO8bb9F1dFkUN6asrQCIh/oeDbHDsETDdFz3kMhoT7a61DX3JBhDA6ywV30LSs73SbvzpUZcMAaQe+KU/V33V6UVgMIxJPU8OOSPMblIx2gjVf+kzrmxQ4OBYn2lSpEc61bFc6UNTqWUf1NolI+yTLtss87JH5KE9gcbJmli89c8+76bFgcdZjSj4etaQAqsuPeiSOrAxbVtZr+EpEDtr+GhUNqyN5FhXUOmeWhwkbYvermEApMmDU4R6ZCR6gYcDT3HrrWOChWucbEsMcbgkqimMDFFHEtAwaMZmBixW93c+aFzftmJF6b7VW7Q5iKyG16vQaxdgSkCLLciAF5nHS62Hu; 4:0tw6JnrHlcg0dHkZla3HXlR9NqTZC9D+1JVUWKfoqxkTniyCs1ZKTB/nnY51t7OiZnyMpxlCJFFCMGrbY6nxecwLUf0+c1qUnUeyUpvdDgAwUq8dEul1kx8XreJby+l7qN9/CBGrG2GM2ah+nvJquhEErx5T4bj8P6N8I8c34AJrVtdIp4wEkJrp5NeLiictVvJyTRB1yN2vXJIBkY5C/ly9grtNCfI4NPwB0/DfDbDoSUQTTfk69t4YxWqwH10U X-Exchange-Antispam-Report-Test: UriScan:; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(100000703101)(100105400095)(10201501046)(3231020)(3002001)(6055026)(6041248)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123564025)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DB6PR05MB3142; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DB6PR05MB3142; X-Forefront-PRVS: 047001DADA X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(346002)(39860400002)(376002)(189002)(199003)(33646002)(6116002)(36756003)(5660300001)(3846002)(68736007)(478600001)(85782001)(66066001)(189998001)(6666003)(50226002)(47776003)(97736004)(2906002)(33026002)(4720700003)(25786009)(305945005)(8936002)(106356001)(101416001)(105586002)(7736002)(15650500001)(5003940100001)(21086003)(50466002)(81156014)(110136005)(48376002)(16526018)(50986999)(54906003)(316002)(8676002)(9686003)(4326008)(16586007)(69596002)(107886003)(53936002)(55016002)(86362001)(81166006)(85772001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR05MB3142; H:mellanox.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: mellanox.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: 1; DB6PR05MB3142; 23:+4A4ub+60cLQ1lUaLBeseK4Qt0S9VkQKgWODRZ4ZZcSLMyUxz3ZhzFra67lJhAofFqyaQG+RTPtomvM155A/IT3rjv1AuvHifXGeQb+uJilHDmhcqQ/IpbZomGIn4zj6uyfG11ZMOjZsijXwE2UV6iFasAw9uqfVd8wx7RDuVDywgMqNLxLQhqBK5SoyxnmO3PKZLOiNau3tMjIxi77IhgUIjamLUS/XcA44pKnkHg2qd1CCY9WZ1Fr+4WYil0TYh7nlomZEu8+RPTk89wX7S81AoVZ9v3PRvC102Q7+JZVENoUWpK2/HcPmj+9fYAEBmIQ2Wygk708VcA6BKRIodqB4lOz2s0dxATN9HqFpV9q1xpDyESUn2rknrW4J5UmPt3b5Slk0zOodUzkpkKMnvJPmuLfRHrf7eByZeYrl1fjx4xQenFTd4QszJM2w9ZDsUxRYF6SY1iBsBNd+iDw98kROt24LdTt7X0rDKihleyNA4L1FJafVYNugOByx0T+sdxMHbCvBzAXj+q7eJBDfio3bUhqZLOvIsIlTUJrurbW+TsA9ZRTylYC8V/vnnLNZ9jppX7hSxp2Cwa5GY01PLyWmVqg+y8ifmgP7Bc6G9NKWkgndWc2Qf0Rfg3MvzwYreQDi3A9GjP6C8VSpSEpIMm3FYyNBlAqejytV/prVtpSyJpCGN684eykXaUpf3MDmY1lHN/m4D8r0W9G3ItL53iexkV9pqCW06FTtrmQ/ME3HZeggLSyXHtfuzZCICd7k3J4y8Le5kXtMh+wNkoFG4OfbFCzlAwK20gVuMmnpklJCy+lP6FuMLjPuNv2zyiq/f6BzsgrPhQ6cO34/m1RKwdpb/LTBuhduHi29VtYTRFZL97Xa8wY811WSnrvgm25q3RAIbac8NiIGELBaDEEwAMYemJqmkmyKSxbxseTrvpaPOXY/1DXZVm1gn7s4fn0rYIlCQkvxeQWGDhyPaAR5Xe0YYXsuaEKLw+DpekRSguJihYpXfCYkCAMqty65Z7sAr9kst2A0I40eNcM3soDx+z6MLUIvz1pg82FlewdpOgxg8QH2dNKHvWVtYU4rL300JIXDc80s39HT/bw2RG08uYJZgXFP+TiVu1Q895V0PP2oJ/68pWY3V1nid7gFrI5QRzds1Ao3ppBOt5EuuBITEraa2nzcOXtBeWUORAGrP0scp/c+zYdmlyz49bDspOTft4FU9OfNApFEz7W08X/5DA== X-Microsoft-Exchange-Diagnostics: 1; DB6PR05MB3142; 6:a4b4bcWtIPq6SdvV+zU/i1nCX7pTJln/uJNO3wkR38kQRussojHR/l4AZK5mSJTsyjZfq/6ryUMB8cJYzc66Tk0K6kebdAk6coZjh5M8wIbiBSQvdOt1Cv/udfBP6QGf50JkAvYELYFoU1qBXrWyKHlAJVqy7hJmD5FdGcS0b/ASGa/h6aXmXrjuTe/VvBIWWPM5R1B6vqTXcY33IG28Q3PTjrjZBDQrokINpB62K55pqB0r3KBQYbRaAYuihayeOBYLJ3Rnx9r3eUDDrsU5ZlnABHU32We5iLO1KqTgpa9P1gzDsPUQ7mpKmbqaslPg1F9/a1bfR5OPtOS5llGoKQ==; 5:9L01J11MqqqzVyJS5W4d5aNf3MApIrsyXSCu/gcGq/tMlW2G3eOjPd5kSeMjeCWiTU3nwX35hFsAlVJ4o+KCFeDwnMZ9gnLBJY1KNUJW6FxnoCL4njWt6JSmJhLGF4hYwuw9XAMH7gCCVlZWjkag2A==; 24:+mDydxpp+uv0sxPYSVEEFD6e0i931v12O9AtRCkmrGy5hxt1xLOWEgVNn0XTq3KdkmQzzbxhi4jG2HPogSuRRDwDk99iRuSjzVxLk4aDIzg=; 7:MxO+GPE2auUa3twsxpYIrAO1NvwKNADNHHUA3lgZ4BiBPLtm3UYtj9NuQnKSDgWeL2MjoTuz9re2PNK/+zX7RhEXC+/1XQ4AquRIFX/FfhM2duHjKy7CBDBRHAP3AINc62jtF3+P7shDzQn276qaNZcudRlCFyy//SamldHToro09687YhpRY4shxvkYoSO4B649XkypFp4F3V56XSSmrlJNT3u4Co8cViWAhxQv9qw= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: Mellanox.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Oct 2017 15:10:47.3024 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 6ab9cf23-b042-46cf-69a1-08d51af16870 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: a652971c-7d2e-4d9b-a6a4-d149256f461b X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR05MB3142 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Aviv Heller Code path when (encap_type < 0) does not verify the state is valid before progressing. This will result in a crash if, for instance, x->km.state == XFRM_STATE_ACQ. Fixes: 7785bba299a8 ("esp: Add a software GRO codepath") Signed-off-by: Aviv Heller Signed-off-by: Yevgeny Kliteynik --- net/xfrm/xfrm_input.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 2515cd2..ea9407f 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -206,7 +206,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) xfrm_address_t *daddr; struct xfrm_mode *inner_mode; u32 mark = skb->mark; - unsigned int family; + unsigned int family = AF_UNSPEC; int decaps = 0; int async = 0; bool xfrm_gro = false; @@ -215,6 +215,16 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) if (encap_type < 0) { x = xfrm_input_state(skb); + + if (unlikely(x->km.state != XFRM_STATE_VALID)) { + if (x->km.state == XFRM_STATE_ACQ) + XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR); + else + XFRM_INC_STATS(net, + LINUX_MIB_XFRMINSTATEINVALID); + goto drop; + } + family = x->outer_mode->afinfo->family; /* An encap_type of -1 indicates async resumption. */