From patchwork Thu Apr  2 07:58:24 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexey Dobriyan <adobriyan@gmail.com>
X-Patchwork-Id: 457531
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 32C4914008F
	for <patchwork-incoming@ozlabs.org>;
	Thu,  2 Apr 2015 18:58:31 +1100 (AEDT)
Authentication-Results: ozlabs.org; dkim=fail
	reason="verification failed; unprotected key"
	header.d=gmail.com header.i=@gmail.com header.b=XXCbNdEq;
	dkim-adsp=none (unprotected policy); dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752220AbbDBH60 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 2 Apr 2015 03:58:26 -0400
Received: from mail-wi0-f174.google.com ([209.85.212.174]:36886 "EHLO
	mail-wi0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750771AbbDBH6Z (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 2 Apr 2015 03:58:25 -0400
Received: by wiaa2 with SMTP id a2so95241192wia.0
	for <netdev@vger.kernel.org>; Thu, 02 Apr 2015 00:58:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=date:from:to:cc:subject:message-id:mime-version:content-type
	:content-disposition:user-agent;
	bh=sXaX0eQd4GW0Ng2nttMdaU05bLdGmAtWPz6LKx4X6LA=;
	b=XXCbNdEq50ZYOJqOtKIDB9FCuRKr9yARxSjIG3OlVkhPZhfokA1hcwievRclBY7odh
	xtfL2ZcmGovyUB80o59jcomMWgGh1C3Wva4ouQThEQI1nlQpc09Boc43nvRZttLTKHS4
	dCWBmEfSmkaN8t7t0AsXdkI68uMY0hGCeKQbFokHIG2yon9ERFEZDpkVsY6RcfOKkgX1
	1LLnrKZR4H15GJIDs94+mhj///TufncvrypnMLPRCrVoVJoxV9ax0Lhh/O2Edzlqq8/2
	vBvaZuU3mbVRpuBILVak8cgJ3a6Uf7mk4wSgoDd35ve4jQAKA7f4vHUeVmgwEcZ5wt9O
	EWzQ==
X-Received: by 10.194.171.100 with SMTP id
	at4mr93540935wjc.122.1427961504169;
	Thu, 02 Apr 2015 00:58:24 -0700 (PDT)
Received: from p183.telecom.by (nat4-minsk-pool-46-53-176-214.telecom.by.
	[46.53.176.214])
	by mx.google.com with ESMTPSA id n6sm6074594wjy.8.2015.04.02.00.58.23
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 02 Apr 2015 00:58:23 -0700 (PDT)
Date: Thu, 2 Apr 2015 10:58:24 +0300
From: Alexey Dobriyan <adobriyan@gmail.com>
To: davem@davemloft.net
Cc: mike@normi.net, netdev@vger.kernel.org,
	steffen.klassert@secunet.com, herbert@gondor.apana.org.au
Subject: [PATCH] xfrm: fix xfrm_input/xfrm_tunnel_check oops
Message-ID: <20150402075824.GA2079@p183.telecom.by>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

https://bugzilla.kernel.org/show_bug.cgi?id=95211

Commit 70be6c91c86596ad2b60c73587880b47df170a41
("xfrm: Add xfrm_tunnel_skb_cb to the skb common buffer") added check
which dereferences ->outer_mode too early but larval SAs don't have
this pointer set (yet). So check for tunnel stuff later.

Mike Noordermeer reported this bug and patiently applied all the debugging.

Technically this is remote-oops-in-interrupt-context type of thing.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000034
IP: [<ffffffff8150dca2>] xfrm_input+0x3c2/0x5a0
	...
[<ffffffff81500fc6>] ? xfrm4_esp_rcv+0x36/0x70
[<ffffffff814acc9a>] ? ip_local_deliver_finish+0x9a/0x200
[<ffffffff81471b83>] ? __netif_receive_skb_core+0x6f3/0x8f0
	...

RIP  [<ffffffff8150dca2>] xfrm_input+0x3c2/0x5a0
Kernel panic - not syncing: Fatal exception in interrupt

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---

	Patch is in final testing, I'm sending it opportunistically.
	Mike, please chim in if this patch didn't help in the end!

 net/xfrm/xfrm_input.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

--- a/net/xfrm/xfrm_input.c
+++ a/net/xfrm/xfrm_input.c
@@ -238,11 +238,6 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 
 		skb->sp->xvec[skb->sp->len++] = x;
 
-		if (xfrm_tunnel_check(skb, x, family)) {
-			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMODEERROR);
-			goto drop;
-		}
-
 		spin_lock(&x->lock);
 		if (unlikely(x->km.state == XFRM_STATE_ACQ)) {
 			XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR);
@@ -271,6 +266,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 
 		spin_unlock(&x->lock);
 
+		if (xfrm_tunnel_check(skb, x, family)) {
+			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMODEERROR);
+			goto drop;
+		}
+
 		seq_hi = htonl(xfrm_replay_seqhi(x, seq));
 
 		XFRM_SKB_CB(skb)->seq.input.low = seq;