Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

davem330 · davem330 · commit 93b03193c6a5 · 2017-10-09T09:43:34.000-07:00
Steffen Klassert says:

====================
pull request (net): ipsec 2017-10-09

1) Fix some error paths of the IPsec offloading API.

2) Fix a NULL pointer dereference when IPsec is used
   with vti. From Alexey Kodanev.

3) Don't call xfrm_policy_cache_flush under xfrm_state_lock,
   it triggers several locking warnings. From Artem Savkov.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
@@ -91,6 +91,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
 	}
 
 	if (!dev->xfrmdev_ops || !dev->xfrmdev_ops->xdo_dev_state_add) {
+		xso->dev = NULL;
 		dev_put(dev);
 		return 0;
 	}
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
@@ -429,7 +429,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 	nf_reset(skb);
 
 	if (decaps) {
-		skb->sp->olen = 0;
+		if (skb->sp)
+			skb->sp->olen = 0;
 		skb_dst_drop(skb);
 		gro_cells_receive(&gro_cells, skb);
 		return 0;
@@ -440,7 +441,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 
 		err = x->inner_mode->afinfo->transport_finish(skb, xfrm_gro || async);
 		if (xfrm_gro) {
-			skb->sp->olen = 0;
+			if (skb->sp)
+				skb->sp->olen = 0;
 			skb_dst_drop(skb);
 			gro_cells_receive(&gro_cells, skb);
 			return err;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
@@ -732,12 +732,12 @@ int xfrm_state_flush(struct net *net, u8 proto, bool task_valid)
 			}
 		}
 	}
+out:
+	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
 	if (cnt) {
 		err = 0;
 		xfrm_policy_cache_flush();
 	}
-out:
-	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
 	return err;
 }
 EXPORT_SYMBOL(xfrm_state_flush);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
@@ -657,6 +657,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
 
 	if (err < 0) {
 		x->km.state = XFRM_STATE_DEAD;
+		xfrm_dev_state_delete(x);
 		__xfrm_state_put(x);
 		goto out;
 	}

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,7 @@ int xfrm_dev_state_add(struct net net, struct xfrm_state x,`
`91`	`91`	`}`
`92`	`92`
`93`	`93`	`if (!dev->xfrmdev_ops \|\| !dev->xfrmdev_ops->xdo_dev_state_add) {`
	`94`	`+ xso->dev = NULL;`
`94`	`95`	`dev_put(dev);`
`95`	`96`	`return 0;`
`96`	`97`	`}`
Original file line number	Diff line number	Diff line change
`@@ -732,12 +732,12 @@ int xfrm_state_flush(struct net *net, u8 proto, bool task_valid)`
`732`	`732`	`}`
`733`	`733`	`}`
`734`	`734`	`}`
	`735`	`+out:`
	`736`	`+ spin_unlock_bh(&net->xfrm.xfrm_state_lock);`
`735`	`737`	`if (cnt) {`
`736`	`738`	`err = 0;`
`737`	`739`	`xfrm_policy_cache_flush();`
`738`	`740`	`}`
`739`		`-out:`
`740`		`- spin_unlock_bh(&net->xfrm.xfrm_state_lock);`
`741`	`741`	`return err;`
`742`	`742`	`}`
`743`	`743`	`EXPORT_SYMBOL(xfrm_state_flush);`
Original file line number	Diff line number	Diff line change
`@@ -657,6 +657,7 @@ static int xfrm_add_sa(struct sk_buff skb, struct nlmsghdr nlh,`
`657`	`657`
`658`	`658`	`if (err < 0) {`
`659`	`659`	`x->km.state = XFRM_STATE_DEAD;`
	`660`	`+ xfrm_dev_state_delete(x);`
`660`	`661`	`__xfrm_state_put(x);`
`661`	`662`	`goto out;`
`662`	`663`	`}`