FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 02-23-2012, 12:38 AM
Eric Dumazet
 
Default Bug#660804: New: kernel panic when receiving an ipsec packet

Le jeudi 23 février 2012 à 01:59 +0100, Niccolò Belli a écrit :
> Hi,
> The bug is still present in latest 3.2.7 vanilla kernel. I wasted the
> whole day debugging that damn thing and I finally discovered the root cause.
> The problem is with my Traverse Solos multi-port ADSL2+ PCI card[1]
> (which has open source drivers included in the kernel) when using RFC
> 2684 routed.
> I have two adsl lines, the first one connected using RFC 2684 routed,
> the second one using PPPoA.
> If I create a vpn toward the PPPoA line it works flawlessly, while if I
> create a vpn toward the RFC 2684 routed line the whole system hangs in a
> kernel panic (with both 2.6.32.54 and 3.2.7).
> I really don't know how to fix it and I need to setup that damn ipsec vpn
>
> This is the bug on bugzilla.kernel.org:
> https://bugzilla.kernel.org/show_bug.cgi?id=42809
>
> Niccolò
>
>
> [1]http://www.traverse.com.au/productview.php?product_id=116

Which driver handles this Traverse Solos card ?








--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1329961083.15610.2.camel@edumazet-laptop">http://lists.debian.org/1329961083.15610.2.camel@edumazet-laptop
 
Old 02-23-2012, 12:46 AM
Jason White
 
Default Bug#660804: New: kernel panic when receiving an ipsec packet

Eric Dumazet <eric.dumazet@gmail.com> wrote:

> Which driver handles this Traverse Solos card ?

solos_pci, which also requires the atm module.

(I'm just trying to help here; I'm not affected by the bug.)




--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120223014614.GA10657@jdc.jasonjgw.net">http://lists.debian.org/20120223014614.GA10657@jdc.jasonjgw.net
 
Old 02-23-2012, 12:54 AM
Eric Dumazet
 
Default Bug#660804: New: kernel panic when receiving an ipsec packet

Le jeudi 23 février 2012 à 02:38 +0100, Eric Dumazet a écrit :

> Which driver handles this Traverse Solos card ?

If br2684_push() is used, it seems it lacks proper call to
skb_reset_mac_header(skb) in paths where eth_type_trans() is not called.

Later in xfrm4_mode_tunnel_input() we crash because we assume
skb_mac_header() is valid.






--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1329962079.15610.6.camel@edumazet-laptop">http://lists.debian.org/1329962079.15610.6.camel@edumazet-laptop
 
Old 02-23-2012, 12:55 AM
Niccolò Belli
 
Default Bug#660804: New: kernel panic when receiving an ipsec packet

Il 23/02/2012 02:38, Eric Dumazet ha scritto:

Which driver handles this Traverse Solos card ?


drivers/atm/solos-pci.c

~# lsmod | grep solos
solos_pci 20009 2
atm 32378 7 pppoatm,br2684,solos_pci

Niccolò



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F459C81.60704@linuxsystems.it">http://lists.debian.org/4F459C81.60704@linuxsystems.it
 
Old 02-23-2012, 12:45 PM
Niccolò Belli
 
Default Bug#660804: New: kernel panic when receiving an ipsec packet

Il 23/02/2012 03:06, Eric Dumazet ha scritto:

Thanks !

Please try following patch.

diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index 534972e..f170933 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -84,9 +84,11 @@ static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
if (!(x->props.flags& XFRM_STATE_NOECN))
ipip_ecn_decapsulate(skb);

- old_mac = skb_mac_header(skb);
- skb_set_mac_header(skb, -skb->mac_len);
- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ if (skb_mac_header_was_set(skb)) {
+ old_mac = skb_mac_header(skb);
+ skb_set_mac_header(skb, -skb->mac_len);
+ memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ }
skb_reset_network_header(skb);
err = 0;



Your patch does solve the problem, thanks!

Niccolò



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F46430D.3060802@linuxsystems.it">http://lists.debian.org/4F46430D.3060802@linuxsystems.it
 
Old 02-23-2012, 12:48 PM
chas williams - CONTRACTOR
 
Default Bug#660804: New: kernel panic when receiving an ipsec packet

On Thu, 23 Feb 2012 02:54:39 +0100
Eric Dumazet <eric.dumazet@gmail.com> wrote:

> Le jeudi 23 février 2012 à 02:38 +0100, Eric Dumazet a écrit :
>
> > Which driver handles this Traverse Solos card ?
>
> If br2684_push() is used, it seems it lacks proper call to
> skb_reset_mac_header(skb) in paths where eth_type_trans() is not called.
>
> Later in xfrm4_mode_tunnel_input() we crash because we assume
> skb_mac_header() is valid.

when br2684_push() doesnt call eth_type_trans() the underlying packet
doesnt have a mac address header -- just an llc header that says 'ip
packet is next'.



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120223084853.2110605c@thirdoffive.cmf.nrl.navy.m il">http://lists.debian.org/20120223084853.2110605c@thirdoffive.cmf.nrl.navy.m il
 
Old 02-23-2012, 01:36 PM
Eric Dumazet
 
Default Bug#660804: New: kernel panic when receiving an ipsec packet

> Your patch does solve the problem, thanks!
>

Thanks for testing.

Here is the official patch I submit for review then.

[PATCH] ipsec: be careful of non existing mac headers

Nicollo Belli reported ipsec crashes in case we handle a frame without
mac header (atm in his case)

Before copying mac header, better make sure it is present.

Bugzilla reference: https://bugzilla.kernel.org/show_bug.cgi?id=42809

Reported-by: Niccolò Belli <darkbasic@linuxsystems.it>
Tested-by: Niccolò Belli <darkbasic@linuxsystems.it>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
net/ipv4/xfrm4_mode_beet.c | 9 +++++----
net/ipv4/xfrm4_mode_tunnel.c | 10 ++++++----
net/ipv6/xfrm6_mode_beet.c | 9 +++++----
net/ipv6/xfrm6_mode_tunnel.c | 10 ++++++----
4 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/net/ipv4/xfrm4_mode_beet.c b/net/ipv4/xfrm4_mode_beet.c
index 6341818..d3451f6 100644
--- a/net/ipv4/xfrm4_mode_beet.c
+++ b/net/ipv4/xfrm4_mode_beet.c
@@ -111,10 +111,11 @@ static int xfrm4_beet_input(struct xfrm_state *x, struct sk_buff *skb)
skb_push(skb, sizeof(*iph));
skb_reset_network_header(skb);

- memmove(skb->data - skb->mac_len, skb_mac_header(skb),
- skb->mac_len);
- skb_set_mac_header(skb, -skb->mac_len);
-
+ if (skb_mac_header_was_set(skb)) {
+ memmove(skb->data - skb->mac_len, skb_mac_header(skb),
+ skb->mac_len);
+ skb_set_mac_header(skb, -skb->mac_len);
+ }
xfrm4_beet_make_header(skb);

iph = ip_hdr(skb);
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index 534972e..a646f30 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -66,7 +66,6 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)

static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
{
- const unsigned char *old_mac;
int err = -EINVAL;

if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPIP)
@@ -84,9 +83,12 @@ static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
if (!(x->props.flags & XFRM_STATE_NOECN))
ipip_ecn_decapsulate(skb);

- old_mac = skb_mac_header(skb);
- skb_set_mac_header(skb, -skb->mac_len);
- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ if (skb_mac_header_was_set(skb)) {
+ const unsigned char *old_mac = skb_mac_header(skb);
+
+ skb_set_mac_header(skb, -skb->mac_len);
+ memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ }
skb_reset_network_header(skb);
err = 0;

diff --git a/net/ipv6/xfrm6_mode_beet.c b/net/ipv6/xfrm6_mode_beet.c
index a81ce94..74c4b92 100644
--- a/net/ipv6/xfrm6_mode_beet.c
+++ b/net/ipv6/xfrm6_mode_beet.c
@@ -80,7 +80,6 @@ static int xfrm6_beet_output(struct xfrm_state *x, struct sk_buff *skb)
static int xfrm6_beet_input(struct xfrm_state *x, struct sk_buff *skb)
{
struct ipv6hdr *ip6h;
- const unsigned char *old_mac;
int size = sizeof(struct ipv6hdr);
int err;

@@ -91,10 +90,12 @@ static int xfrm6_beet_input(struct xfrm_state *x, struct sk_buff *skb)
__skb_push(skb, size);
skb_reset_network_header(skb);

- old_mac = skb_mac_header(skb);
- skb_set_mac_header(skb, -skb->mac_len);
- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ if (skb_mac_header_was_set(skb)) {
+ const unsigned char *old_mac = skb_mac_header(skb);

+ skb_set_mac_header(skb, -skb->mac_len);
+ memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ }
xfrm6_beet_make_header(skb);

ip6h = ipv6_hdr(skb);
diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c
index 261e6e6..edb7091 100644
--- a/net/ipv6/xfrm6_mode_tunnel.c
+++ b/net/ipv6/xfrm6_mode_tunnel.c
@@ -63,7 +63,6 @@ static int xfrm6_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
{
int err = -EINVAL;
- const unsigned char *old_mac;

if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPV6)
goto out;
@@ -80,9 +79,12 @@ static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
if (!(x->props.flags & XFRM_STATE_NOECN))
ipip6_ecn_decapsulate(skb);

- old_mac = skb_mac_header(skb);
- skb_set_mac_header(skb, -skb->mac_len);
- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ if (skb_mac_header_was_set(skb)) {
+ const unsigned char *old_mac = skb_mac_header(skb);
+
+ skb_set_mac_header(skb, -skb->mac_len);
+ memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ }
skb_reset_network_header(skb);
err = 0;






--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1330007786.15610.26.camel@edumazet-laptop">http://lists.debian.org/1330007786.15610.26.camel@edumazet-laptop
 
Old 02-23-2012, 01:39 PM
Eric Dumazet
 
Default Bug#660804: New: kernel panic when receiving an ipsec packet

Le jeudi 23 février 2012 à 15:36 +0100, Eric Dumazet a écrit :

> [PATCH] ipsec: be careful of non existing mac headers
>
> Nicollo Belli reported ipsec crashes in case we handle a frame without
> mac header (atm in his case)

Oops sorry for your name being mangled in changelog, its Niccolò as
correctly spelled in the "Reported-by" and "Tested-by" tags







--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1330007946.15610.28.camel@edumazet-laptop">http://lists.debian.org/1330007946.15610.28.camel@edumazet-laptop
 
Old 02-23-2012, 06:08 PM
Niccolò Belli
 
Default Bug#660804: New: kernel panic when receiving an ipsec packet

Il 23/02/2012 15:39, Eric Dumazet ha scritto:

Oops sorry for your name being mangled in changelog, its Niccolò as
correctly spelled in the "Reported-by" and "Tested-by" tags


Don't worry and thanks for your help. I'm currently running the official
patch you submitted for review.


Niccolò



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F468EB1.6030709@linuxsystems.it">http://lists.debian.org/4F468EB1.6030709@linuxsystems.it
 
Old 02-23-2012, 07:11 PM
David Miller
 
Default Bug#660804: New: kernel panic when receiving an ipsec packet

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Thu, 23 Feb 2012 15:36:26 +0100

> [PATCH] ipsec: be careful of non existing mac headers
>
> Nicollo Belli reported ipsec crashes in case we handle a frame without
> mac header (atm in his case)
>
> Before copying mac header, better make sure it is present.
>
> Bugzilla reference: https://bugzilla.kernel.org/show_bug.cgi?id=42809
>
> Reported-by: Niccolò Belli <darkbasic@linuxsystems.it>
> Tested-by: Niccolò Belli <darkbasic@linuxsystems.it>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>

Three instances of the same piece of code, maybe a helper function is
appropriate at that point? :-) You might even get ambitious and add a
big comment to that helper function explaining the situation.



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120223.151115.1646872434333284038.davem@davemlof t.net">http://lists.debian.org/20120223.151115.1646872434333284038.davem@davemlof t.net
 

Thread Tools




All times are GMT. The time now is 12:39 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org