Fw: [BUG] 2.6.20 Oopses in xfrm_audit_log

Fw: [BUG] 2.6.20 Oopses in xfrm_audit_log

[Andrew Morton]

Begin forwarded message:

Date: Mon, 12 Feb 2007 15:16:04 +0100
From: Charles-Edouard Ruault <ce@ruault.com>
To: linux-kernel@vger.kernel.org, linux-net@vger.kernel.org
Subject: [BUG] 2.6.20 Oopses in xfrm_audit_log


Hi All,

i upgraded to vanilla kernel 2.6.20 and while i was using strongswan 
2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
I had successfully established the same tunnel a few times, but key 
renegotiation caused a problem ( both ends did not renegotiate at the 
same time so the tunnel was frozen ), i decided to kill the tunnel and 
start a new one ( using ipsec auto --down tunnel & ipsec auto --up 
tunnel ), while i was doing so, i got the oops.

BUG: unable to handle kernel NULL pointer dereference at virtual address 
00000188
 printing eip:
c02fb85c
*pde = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish 
twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1 
crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100 
hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns 
ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter 
ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK 
iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus 
video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod 
libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus 
ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event 
snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc 
snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart 
i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
CPU:    0
EIP:    0060:[<c02fb85c>]    Not tainted VLI
EFLAGS: 00010246   (2.6.20 #1)
EIP is at xfrm_audit_log+0x4cc/0x580
eax: ecb71061   ebx: c039d160   ecx: 00000000   edx: 00000021
esi: 000001f4   edi: 00000255   ebp: 00000000   esp: e8cd5a18
ds: 007b   es: 007b   ss: 0068
Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001 
00000003
       f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000 
00000286
       f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67 
00000000
Call Trace:
 [<c011506b>] __wake_up+0x4b/0x80
 [<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
 [<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
 [<c011d90e>] local_bh_enable+0x2e/0xa0
 [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
 [<c0305e50>] xfrm_get_policy+0x0/0x2f0
 [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
 [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
 [<c02b3782>] netlink_run_queue+0x82/0x120
 [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
 [<c02b3d42>] netlink_data_ready+0x12/0x50
 [<c02b2931>] netlink_sendskb+0x21/0x40
 [<c02b3c50>] netlink_sendmsg+0x230/0x310
 [<c02993cd>] sock_aio_write+0x11d/0x130
 [<c01d538a>] avc_has_perm+0x5a/0x70
 [<c0163ed5>] do_sync_write+0xd5/0x120
 [<c012c960>] autoremove_wake_function+0x0/0x50
 [<c01648c7>] vfs_write+0x177/0x180
 [<c0164ea1>] sys_write+0x41/0x70
 [<c0102f14>] syscall_call+0x7/0xb
 =======================
Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24 
48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91 
88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18

I'm running a vanilla 2.6.20 kernel on a Fedora Core 5 box on an athlon 
processor:
cat /proc/cpuinfo
processor       : 0
vendor_id       : AuthenticAMD
cpu family      : 6
model           : 8
model name      : AMD Athlon(TM) XP 2400+
stepping        : 1
cpu MHz         : 2000.256
cache size      : 256 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 1
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge 
mca cmov pat pse36 mmx fxsr sse syscall mmxext 3dnowext 3dnow ts
bogomips        : 4003.78
clflush size    : 32

uname -a
Linux machine 2.6.20 #1 PREEMPT Sat Feb 10 13:48:56 CET 2007 i686 athlon 
i386 GNU/Linux

Please CC me in follow ups since i do not subscribe to the list.
Thanks

-- 
Charles-Edouard Ruault
GPG key Id E4D2B80C

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[David Miller]

Andrew, we're already discussing a fix for this in another
thread today:

commit 13fcfbb0675bf87da694f55dec11cada489a205c
Author: David S. Miller <davem@sunset.davemloft.net>
Date:   Mon Feb 12 13:53:54 2007 -0800

    [XFRM]: Fix OOPSes in xfrm_audit_log().
    
    Make sure that this function is called correctly, and
    add BUG() checking to ensure the arguments are sane.
    
    Based upon a patch by Joy Latten.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/key/af_key.c b/net/key/af_key.c
index f3a026f..1c58204 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2297,16 +2297,17 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg
 				   &sel, tmp.security, 1);
 	security_xfrm_policy_free(&tmp);
 
-	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-		       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
-
 	if (xp == NULL)
 		return -ENOENT;
 
-	err = 0;
+	err = security_xfrm_policy_delete(xp);
 
-	if ((err = security_xfrm_policy_delete(xp)))
+	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+		       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+
+	if (err)
 		goto out;
+
 	c.seq = hdr->sadb_msg_seq;
 	c.pid = hdr->sadb_msg_pid;
 	c.event = XFRM_MSG_DELPOLICY;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index a24f385..c394b41 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1997,9 +1997,14 @@ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
 	if (audit_enabled == 0)
 		return;
 
+	BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||
+		type == AUDIT_MAC_IPSEC_DELSA) && !x);
+	BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||
+		type == AUDIT_MAC_IPSEC_DELSPD) && !xp);
+
 	audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
 	if (audit_buf == NULL)
-	return;
+		return;
 
 	switch(type) {
 	case AUDIT_MAC_IPSEC_ADDSA:
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index d55436d..2567453 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1273,10 +1273,6 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
 		xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
 		security_xfrm_policy_free(&tmp);
 	}
-	if (delete)
-		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-			       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
-
 	if (xp == NULL)
 		return -ENOENT;
 
@@ -1292,8 +1288,14 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
 					      MSG_DONTWAIT);
 		}
 	} else {
-		if ((err = security_xfrm_policy_delete(xp)) != 0)
+		err = security_xfrm_policy_delete(xp);
+
+		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+			       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+
+		if (err != 0)
 			goto out;
+
 		c.data.byid = p->index;
 		c.event = nlh->nlmsg_type;
 		c.seq = nlh->nlmsg_seq;

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[Andrew Morton]

> On Mon, 12 Feb 2007 14:49:38 -0800 (PST) David Miller <davem@davemloft.net> wrote:
> Andrew, we're already discussing a fix for this in another
> thread today:

Yeah, I noticed.  Vitimised again by those darn MUA vendors and/or
users who bust their In-Reply-To/References headers :(

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[Charles-Edouard Ruault]

Joy Latten wrote:
>> i upgraded to vanilla kernel 2.6.20 and while i was using strongswan 
>> 2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
>> I had successfully established the same tunnel a few times, but key 
>> renegotiation caused a problem ( both ends did not renegotiate at the 
>> same time so the tunnel was frozen ), i decided to kill the tunnel and 
>> start a new one ( using ipsec auto --down tunnel & ipsec auto --up 
>> tunnel ), while i was doing so, i got the oops.
>>
>> BUG: unable to handle kernel NULL pointer dereference at virtual address 
>> 00000188
>> printing eip:
>> c02fb85c
>> *pde = 00000000
>> Oops: 0000 [#1]
>> PREEMPT
>> Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish 
>> twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1 
>> crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100 
>> hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns 
>> ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter 
>> ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK 
>> iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus 
>> video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod 
>> libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus 
>> ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event 
>> snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc 
>> snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart 
>> i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
>> CPU:    0
>> EIP:    0060:[<c02fb85c>]    Not tainted VLI
>> EFLAGS: 00010246   (2.6.20 #1)
>> EIP is at xfrm_audit_log+0x4cc/0x580
>> eax: ecb71061   ebx: c039d160   ecx: 00000000   edx: 00000021
>> esi: 000001f4   edi: 00000255   ebp: 00000000   esp: e8cd5a18
>> ds: 007b   es: 007b   ss: 0068
>> Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
>> Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001 
>> 00000003
>>       f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000 
>> 00000286
>>       f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67 
>> 00000000
>> Call Trace:
>> [<c011506b>] __wake_up+0x4b/0x80
>> [<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
>> [<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
>> [<c011d90e>] local_bh_enable+0x2e/0xa0
>> [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
>> [<c0305e50>] xfrm_get_policy+0x0/0x2f0
>> [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
>> [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
>> [<c02b3782>] netlink_run_queue+0x82/0x120
>> [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
>> [<c02b3d42>] netlink_data_ready+0x12/0x50
>> [<c02b2931>] netlink_sendskb+0x21/0x40
>> [<c02b3c50>] netlink_sendmsg+0x230/0x310
>> [<c02993cd>] sock_aio_write+0x11d/0x130
>> [<c01d538a>] avc_has_perm+0x5a/0x70
>> [<c0163ed5>] do_sync_write+0xd5/0x120
>> [<c012c960>] autoremove_wake_function+0x0/0x50
>> [<c01648c7>] vfs_write+0x177/0x180
>> [<c0164ea1>] sys_write+0x41/0x70
>> [<c0102f14>] syscall_call+0x7/0xb
>> =======================
>> Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24 
>> 48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91 
>> 88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
>> EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18
>>
>>
>>     
>
> This is similar to another bug reported last month.
> Here is the patch I sent out then. Please let me know
> how it goes.
>
> Regards,
> Joy
>
> Signed-off-by: Joy Latten <latten@austin.ibm.com>
>
>
> diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_policy.c linux-2.6.19/net/xfrm/xfrm_policy.c
> --- linux-2.6.19.orig/net/xfrm/xfrm_policy.c	2007-01-02 14:24:14.000000000 -0600
> +++ linux-2.6.19/net/xfrm/xfrm_policy.c	2007-01-02 14:28:24.000000000 -0600
> @@ -2003,6 +2003,9 @@ void xfrm_audit_log(uid_t auid, u32 sid,
>  	if (audit_enabled == 0)
>  		return;
>  
> +	if ((x == NULL) && (xp == NULL))
> +		return;
> +
>  	audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
>  	if (audit_buf == NULL)
>  	return;
> diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_user.c linux-2.6.19/net/xfrm/xfrm_user.c
> --- linux-2.6.19.orig/net/xfrm/xfrm_user.c	2007-01-02 14:24:14.000000000 -0600
> +++ linux-2.6.19/net/xfrm/xfrm_user.c	2007-01-02 14:28:14.000000000 -0600
> @@ -1268,10 +1268,6 @@ static int xfrm_get_policy(struct sk_buf
>  		xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
>  		security_xfrm_policy_free(&tmp);
>  	}
> -	if (delete)
> -		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> -			       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
> -
>  	if (xp == NULL)
>  		return -ENOENT;
>  
> @@ -1289,6 +1285,10 @@ static int xfrm_get_policy(struct sk_buf
>  	} else {
>  		if ((err = security_xfrm_policy_delete(xp)) != 0)
>  			goto out;
> +
> +		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> +			       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
> +
>  		c.data.byid = p->index;
>  		c.event = nlh->nlmsg_type;
>  		c.seq = nlh->nlmsg_seq;
>   
Joy,
a quick email to let you know that i got the oops again this morning 
with a 2.6.20 patched with the above fix.
I'm going to rebuild a vanilla kernel patched with the patched sent by 
David Miller in follow up to your previous conversation.

Here's the dump:

BUG: unable to handle kernel NULL pointer dereference at virtual address 
00000188
 printing eip:
c02fb85c
*pde = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in: stir4200 irda crc_ccitt ppdev vmnet(P) vmmon(P) loop 
usblp nls_iso8859_1 nls_cp437 vfat fat xfrm4_mode_tunnel deflate 
zlib_deflate twofish twofish_common serpent blowfish des cbc ecb 
blkcipher xcbc sha256 sha1 crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 
ah4 af_key autofs4 asb100 hwmon_vid hidp rfcomm l2cap bluetooth sunrpc 
nf_conntrack_netbios_ns ipt_LOG xt_limit xt_mark xt_state xt_tcpudp 
iptable_filter ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 
xt_MARK iptable_mangle ip_tables x_tables binfmt_misc ipv6 sd_mod sg 
hfsplus video button ac lp parport_pc parport floppy nvram usb_storage 
scsi_mod libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec 
uhci_hcd ac97_bus ohci1394 snd_seq_dummy ieee1394 snd_seq_oss 
snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer 
snd_page_alloc snd_mpu401_uart snd_rawmidi snd_seq_device snd shpchp 
i2c_viapro b44 soundcore pcspkr i2c_core eepro100 mii via_agp agpgart 
usbcore dm_mod
CPU:    0
EIP:    0060:[<c02fb85c>]    Tainted: P   M  VLI
EFLAGS: 00010246   (2.6.20 #1)
EIP is at xfrm_audit_log+0x4cc/0x580
eax: c4f3a86b   ebx: c039d160   ecx: 00000000   edx: 00000023
esi: ffffffff   edi: 00000031   ebp: 00000000   esp: deb71a18
ds: 007b   es: 007b   ss: 0068
Process pluto (pid: 3847, ti=deb70000 task=e1b82050 task.ti=deb70000)
Stack: c17d2e60 c0354bf1 ecce48e0 00000003 c03ac59c e18b2400 00000001 
00000003
       f8ce1450 00000000 00000001 00000286 deb71a6c c011506b 00000000 
00000286
       efdde780 00000246 c17d2e60 00000000 00000000 efdde780 f8cdac67 
00000000
Call Trace:
 [<c011506b>] __wake_up+0x4b/0x80
 [<f8cdac67>] pfkey_broadcast+0x137/0x1b0 [af_key]
 [<f8cdae5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
 [<c011d90e>] local_bh_enable+0x2e/0xa0
 [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
 [<c0305e50>] xfrm_get_policy+0x0/0x2f0
 [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
 [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
 [<c02b3782>] netlink_run_queue+0x82/0x120
 [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
 [<c02b3d42>] netlink_data_ready+0x12/0x50
 [<c02b2931>] netlink_sendskb+0x21/0x40
 [<c02b3c50>] netlink_sendmsg+0x230/0x310
 [<c02993cd>] sock_aio_write+0x11d/0x130
 [<c01d538a>] avc_has_perm+0x5a/0x70
 [<c0163ed5>] do_sync_write+0xd5/0x120
 [<c012c960>] autoremove_wake_function+0x0/0x50
 [<c01648c7>] vfs_write+0x177/0x180
 [<c0164ea1>] sys_write+0x41/0x70
 [<c0102f14>] syscall_call+0x7/0xb
 =======================
Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24 
48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91 
88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:deb71a18



-- 
Charles-Edouard Ruault
GPG key Id E4D2B80C

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[Charles-Edouard Ruault]

Joy Latten wrote:
>> i upgraded to vanilla kernel 2.6.20 and while i was using strongswan 
>> 2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
>> I had successfully established the same tunnel a few times, but key 
>> renegotiation caused a problem ( both ends did not renegotiate at the 
>> same time so the tunnel was frozen ), i decided to kill the tunnel and 
>> start a new one ( using ipsec auto --down tunnel & ipsec auto --up 
>> tunnel ), while i was doing so, i got the oops.
>>
>> BUG: unable to handle kernel NULL pointer dereference at virtual address 
>> 00000188
>> printing eip:
>> c02fb85c
>> *pde = 00000000
>> Oops: 0000 [#1]
>> PREEMPT
>> Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish 
>> twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1 
>> crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100 
>> hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns 
>> ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter 
>> ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK 
>> iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus 
>> video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod 
>> libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus 
>> ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event 
>> snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc 
>> snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart 
>> i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
>> CPU:    0
>> EIP:    0060:[<c02fb85c>]    Not tainted VLI
>> EFLAGS: 00010246   (2.6.20 #1)
>> EIP is at xfrm_audit_log+0x4cc/0x580
>> eax: ecb71061   ebx: c039d160   ecx: 00000000   edx: 00000021
>> esi: 000001f4   edi: 00000255   ebp: 00000000   esp: e8cd5a18
>> ds: 007b   es: 007b   ss: 0068
>> Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
>> Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001 
>> 00000003
>>       f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000 
>> 00000286
>>       f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67 
>> 00000000
>> Call Trace:
>> [<c011506b>] __wake_up+0x4b/0x80
>> [<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
>> [<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
>> [<c011d90e>] local_bh_enable+0x2e/0xa0
>> [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
>> [<c0305e50>] xfrm_get_policy+0x0/0x2f0
>> [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
>> [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
>> [<c02b3782>] netlink_run_queue+0x82/0x120
>> [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
>> [<c02b3d42>] netlink_data_ready+0x12/0x50
>> [<c02b2931>] netlink_sendskb+0x21/0x40
>> [<c02b3c50>] netlink_sendmsg+0x230/0x310
>> [<c02993cd>] sock_aio_write+0x11d/0x130
>> [<c01d538a>] avc_has_perm+0x5a/0x70
>> [<c0163ed5>] do_sync_write+0xd5/0x120
>> [<c012c960>] autoremove_wake_function+0x0/0x50
>> [<c01648c7>] vfs_write+0x177/0x180
>> [<c0164ea1>] sys_write+0x41/0x70
>> [<c0102f14>] syscall_call+0x7/0xb
>> =======================
>> Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24 
>> 48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91 
>> 88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
>> EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18
>>
>>
>>     
>
> This is similar to another bug reported last month.
> Here is the patch I sent out then. Please let me know
> how it goes.
>
> Regards,
> Joy
>
> Signed-off-by: Joy Latten <latten@austin.ibm.com>
>
>
> diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_policy.c linux-2.6.19/net/xfrm/xfrm_policy.c
> --- linux-2.6.19.orig/net/xfrm/xfrm_policy.c	2007-01-02 14:24:14.000000000 -0600
> +++ linux-2.6.19/net/xfrm/xfrm_policy.c	2007-01-02 14:28:24.000000000 -0600
> @@ -2003,6 +2003,9 @@ void xfrm_audit_log(uid_t auid, u32 sid,
>  	if (audit_enabled == 0)
>  		return;
>  
> +	if ((x == NULL) && (xp == NULL))
> +		return;
> +
>  	audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
>  	if (audit_buf == NULL)
>  	return;
> diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_user.c linux-2.6.19/net/xfrm/xfrm_user.c
> --- linux-2.6.19.orig/net/xfrm/xfrm_user.c	2007-01-02 14:24:14.000000000 -0600
> +++ linux-2.6.19/net/xfrm/xfrm_user.c	2007-01-02 14:28:14.000000000 -0600
> @@ -1268,10 +1268,6 @@ static int xfrm_get_policy(struct sk_buf
>  		xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
>  		security_xfrm_policy_free(&tmp);
>  	}
> -	if (delete)
> -		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> -			       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
> -
>  	if (xp == NULL)
>  		return -ENOENT;
>  
> @@ -1289,6 +1285,10 @@ static int xfrm_get_policy(struct sk_buf
>  	} else {
>  		if ((err = security_xfrm_policy_delete(xp)) != 0)
>  			goto out;
> +
> +		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> +			       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
> +
>  		c.data.byid = p->index;
>  		c.event = nlh->nlmsg_type;
>  		c.seq = nlh->nlmsg_seq;
>   
Hi Joy,
just to let you know that since i've applied you patch, everything is 
running smoothly for me.
Thanks again.

-- 
Charles-Edouard Ruault
GPG key Id E4D2B80C

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[James Morris]

On Mon, 12 Feb 2007, David Miller wrote:

> Thus, below is the patch I will use to fix this bug:
> 
> 1) Calling xfrm_audit_log() with a NULL object is a BUG()
> 2) Setting "result" based upon NULL'ness of the object makes no
>    sense, either set it to "1" in these cases or use an appropriate
>    error check.
> 
> How does this look to others?

Looks good to me.


-- 
James Morris
<jmorris@namei.org>

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[David Miller]

From: Joy Latten <latten@austin.ibm.com>
Date: Mon, 12 Feb 2007 11:44:30 -0600

> This is similar to another bug reported last month.
> Here is the patch I sent out then. Please let me know
> how it goes.
> 
> Signed-off-by: Joy Latten <latten@austin.ibm.com>

This whole interface is a complete mess.

Calling xfrm_audit_log() without the proper object being non-NULL
should be a bug.  And that's exactly what you fixed in the xfrm_user
case, so there is zero reason to silently allow this condition, we
should just BUG() on it.

But the logging function has this "result" thing, that in some cases
is set to 1 if "xp" or "x" is not-NULL by the callers, this is just
silly.

You can't log the event if the proper object is NULL, so the "result"
parameter and log information is useless in those cases.

Also, you missed the same exact identical bug in the AF_KEY code.

Thus, below is the patch I will use to fix this bug:

1) Calling xfrm_audit_log() with a NULL object is a BUG()
2) Setting "result" based upon NULL'ness of the object makes no
   sense, either set it to "1" in these cases or use an appropriate
   error check.

How does this look to others?

diff --git a/net/key/af_key.c b/net/key/af_key.c
index f3a026f..1c58204 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2297,16 +2297,17 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg
 				   &sel, tmp.security, 1);
 	security_xfrm_policy_free(&tmp);
 
-	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-		       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
-
 	if (xp == NULL)
 		return -ENOENT;
 
-	err = 0;
+	err = security_xfrm_policy_delete(xp);
 
-	if ((err = security_xfrm_policy_delete(xp)))
+	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+		       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+
+	if (err)
 		goto out;
+
 	c.seq = hdr->sadb_msg_seq;
 	c.pid = hdr->sadb_msg_pid;
 	c.event = XFRM_MSG_DELPOLICY;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index a24f385..c394b41 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1997,9 +1997,14 @@ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
 	if (audit_enabled == 0)
 		return;
 
+	BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||
+		type == AUDIT_MAC_IPSEC_DELSA) && !x);
+	BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||
+		type == AUDIT_MAC_IPSEC_DELSPD) && !xp);
+
 	audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
 	if (audit_buf == NULL)
-	return;
+		return;
 
 	switch(type) {
 	case AUDIT_MAC_IPSEC_ADDSA:
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index d55436d..2567453 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1273,10 +1273,6 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
 		xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
 		security_xfrm_policy_free(&tmp);
 	}
-	if (delete)
-		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-			       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
-
 	if (xp == NULL)
 		return -ENOENT;
 
@@ -1292,8 +1288,14 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
 					      MSG_DONTWAIT);
 		}
 	} else {
-		if ((err = security_xfrm_policy_delete(xp)) != 0)
+		err = security_xfrm_policy_delete(xp);
+
+		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+			       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+
+		if (err != 0)
 			goto out;
+
 		c.data.byid = p->index;
 		c.event = nlh->nlmsg_type;
 		c.seq = nlh->nlmsg_seq;

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[Charles-Edouard Ruault]

[-- Attachment #1: Type: text/plain, Size: 4834 bytes --]

Alexey Dobriyan wrote:
> [removing l-k from CC, and switching to netdev]
>
> Please, send your .config.
> Is it reproducible?
>
> On Mon, Feb 12, 2007 at 03:16:04PM +0100, Charles-Edouard Ruault wrote:
>   
>> i upgraded to vanilla kernel 2.6.20 and while i was using strongswan 
>> 2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
>> I had successfully established the same tunnel a few times, but key 
>> renegotiation caused a problem ( both ends did not renegotiate at the 
>> same time so the tunnel was frozen ), i decided to kill the tunnel and 
>> start a new one ( using ipsec auto --down tunnel & ipsec auto --up 
>> tunnel ), while i was doing so, i got the oops.
>>
>> BUG: unable to handle kernel NULL pointer dereference at virtual address 
>> 00000188
>> printing eip:
>> c02fb85c
>> *pde = 00000000
>> Oops: 0000 [#1]
>> PREEMPT
>> Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish 
>> twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1 
>> crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100 
>> hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns 
>> ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter 
>> ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK 
>> iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus 
>> video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod 
>> libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus 
>> ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event 
>> snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc 
>> snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart 
>> i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
>> CPU:    0
>> EIP:    0060:[<c02fb85c>]    Not tainted VLI
>> EFLAGS: 00010246   (2.6.20 #1)
>> EIP is at xfrm_audit_log+0x4cc/0x580
>> eax: ecb71061   ebx: c039d160   ecx: 00000000   edx: 00000021
>> esi: 000001f4   edi: 00000255   ebp: 00000000   esp: e8cd5a18
>> ds: 007b   es: 007b   ss: 0068
>> Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
>> Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001 
>> 00000003
>>       f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000 
>> 00000286
>>       f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67 
>> 00000000
>> Call Trace:
>> [<c011506b>] __wake_up+0x4b/0x80
>> [<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
>> [<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
>> [<c011d90e>] local_bh_enable+0x2e/0xa0
>> [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
>> [<c0305e50>] xfrm_get_policy+0x0/0x2f0
>> [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
>> [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
>> [<c02b3782>] netlink_run_queue+0x82/0x120
>> [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
>> [<c02b3d42>] netlink_data_ready+0x12/0x50
>> [<c02b2931>] netlink_sendskb+0x21/0x40
>> [<c02b3c50>] netlink_sendmsg+0x230/0x310
>> [<c02993cd>] sock_aio_write+0x11d/0x130
>> [<c01d538a>] avc_has_perm+0x5a/0x70
>> [<c0163ed5>] do_sync_write+0xd5/0x120
>> [<c012c960>] autoremove_wake_function+0x0/0x50
>> [<c01648c7>] vfs_write+0x177/0x180
>> [<c0164ea1>] sys_write+0x41/0x70
>> [<c0102f14>] syscall_call+0x7/0xb
>> =======================
>> Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24 
>> 48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91 
>> 88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
>> EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18
>>
>> I'm running a vanilla 2.6.20 kernel on a Fedora Core 5 box on an athlon 
>> processor:
>> cat /proc/cpuinfo
>> processor       : 0
>> vendor_id       : AuthenticAMD
>> cpu family      : 6
>> model           : 8
>> model name      : AMD Athlon(TM) XP 2400+
>> stepping        : 1
>> cpu MHz         : 2000.256
>> cache size      : 256 KB
>> fdiv_bug        : no
>> hlt_bug         : no
>> f00f_bug        : no
>> coma_bug        : no
>> fpu             : yes
>> fpu_exception   : yes
>> cpuid level     : 1
>> wp              : yes
>> flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge 
>> mca cmov pat pse36 mmx fxsr sse syscall mmxext 3dnowext 3dnow ts
>> bogomips        : 4003.78
>> clflush size    : 32
>>
>> uname -a
>> Linux machine 2.6.20 #1 PREEMPT Sat Feb 10 13:48:56 CET 2007 i686 athlon 
>> i386 GNU/Linux
>>
>> Please CC me in follow ups since i do not subscribe to the list.
>>     
>
>   
here's my config.gz attached.
I don't know if it's reproducible, i have not had the time to reboot &
try again yet ....
I just applied the patch that Joy sent. I'm trying with the patched
kernel and let the list know if it happens again.


-- 
Charles-Edouard Ruault
PGP Key ID E4D2B80C


[-- Attachment #2: config.gz --]
[-- Type: application/x-gzip, Size: 12809 bytes --]

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[Charles-Edouard Ruault]

Joy Latten wrote:
>> i upgraded to vanilla kernel 2.6.20 and while i was using strongswan 
>> 2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
>> I had successfully established the same tunnel a few times, but key 
>> renegotiation caused a problem ( both ends did not renegotiate at the 
>> same time so the tunnel was frozen ), i decided to kill the tunnel and 
>> start a new one ( using ipsec auto --down tunnel & ipsec auto --up 
>> tunnel ), while i was doing so, i got the oops.
>>
>> BUG: unable to handle kernel NULL pointer dereference at virtual address 
>> 00000188
>> printing eip:
>> c02fb85c
>> *pde = 00000000
>> Oops: 0000 [#1]
>> PREEMPT
>> Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish 
>> twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1 
>> crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100 
>> hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns 
>> ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter 
>> ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK 
>> iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus 
>> video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod 
>> libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus 
>> ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event 
>> snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc 
>> snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart 
>> i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
>> CPU:    0
>> EIP:    0060:[<c02fb85c>]    Not tainted VLI
>> EFLAGS: 00010246   (2.6.20 #1)
>> EIP is at xfrm_audit_log+0x4cc/0x580
>> eax: ecb71061   ebx: c039d160   ecx: 00000000   edx: 00000021
>> esi: 000001f4   edi: 00000255   ebp: 00000000   esp: e8cd5a18
>> ds: 007b   es: 007b   ss: 0068
>> Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
>> Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001 
>> 00000003
>>       f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000 
>> 00000286
>>       f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67 
>> 00000000
>> Call Trace:
>> [<c011506b>] __wake_up+0x4b/0x80
>> [<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
>> [<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
>> [<c011d90e>] local_bh_enable+0x2e/0xa0
>> [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
>> [<c0305e50>] xfrm_get_policy+0x0/0x2f0
>> [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
>> [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
>> [<c02b3782>] netlink_run_queue+0x82/0x120
>> [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
>> [<c02b3d42>] netlink_data_ready+0x12/0x50
>> [<c02b2931>] netlink_sendskb+0x21/0x40
>> [<c02b3c50>] netlink_sendmsg+0x230/0x310
>> [<c02993cd>] sock_aio_write+0x11d/0x130
>> [<c01d538a>] avc_has_perm+0x5a/0x70
>> [<c0163ed5>] do_sync_write+0xd5/0x120
>> [<c012c960>] autoremove_wake_function+0x0/0x50
>> [<c01648c7>] vfs_write+0x177/0x180
>> [<c0164ea1>] sys_write+0x41/0x70
>> [<c0102f14>] syscall_call+0x7/0xb
>> =======================
>> Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24 
>> 48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91 
>> 88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
>> EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18
>>
>>
>>     
>
> This is similar to another bug reported last month.
> Here is the patch I sent out then. Please let me know
> how it goes.
>
> Regards,
> Joy
>
> Signed-off-by: Joy Latten <latten@austin.ibm.com>
>
>
> diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_policy.c linux-2.6.19/net/xfrm/xfrm_policy.c
> --- linux-2.6.19.orig/net/xfrm/xfrm_policy.c	2007-01-02 14:24:14.000000000 -0600
> +++ linux-2.6.19/net/xfrm/xfrm_policy.c	2007-01-02 14:28:24.000000000 -0600
> @@ -2003,6 +2003,9 @@ void xfrm_audit_log(uid_t auid, u32 sid,
>  	if (audit_enabled == 0)
>  		return;
>  
> +	if ((x == NULL) && (xp == NULL))
> +		return;
> +
>  	audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
>  	if (audit_buf == NULL)
>  	return;
> diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_user.c linux-2.6.19/net/xfrm/xfrm_user.c
> --- linux-2.6.19.orig/net/xfrm/xfrm_user.c	2007-01-02 14:24:14.000000000 -0600
> +++ linux-2.6.19/net/xfrm/xfrm_user.c	2007-01-02 14:28:14.000000000 -0600
> @@ -1268,10 +1268,6 @@ static int xfrm_get_policy(struct sk_buf
>  		xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
>  		security_xfrm_policy_free(&tmp);
>  	}
> -	if (delete)
> -		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> -			       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
> -
>  	if (xp == NULL)
>  		return -ENOENT;
>  
> @@ -1289,6 +1285,10 @@ static int xfrm_get_policy(struct sk_buf
>  	} else {
>  		if ((err = security_xfrm_policy_delete(xp)) != 0)
>  			goto out;
> +
> +		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> +			       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
> +
>  		c.data.byid = p->index;
>  		c.event = nlh->nlmsg_type;
>  		c.seq = nlh->nlmsg_seq;
>   
Thanks for the quick reply  & for the patch.
I'm recompiling as i write this email. I'll let you know if i experience
the problem again !
Regards.

-- 
Charles-Edouard Ruault
PGP Key ID E4D2B80C

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[David Miller]

From: Joy Latten <latten@austin.ibm.com>
Date: Mon, 12 Feb 2007 11:44:30 -0600

> This is similar to another bug reported last month.
> Here is the patch I sent out then. Please let me know
> how it goes.
> 
> Regards,
> Joy
> 
> Signed-off-by: Joy Latten <latten@austin.ibm.com>

This one is my bad, I should have gotten around to properly
reviewing this patch before 2.6.20-final went out.  I'll
up the priority on this one to make sure it gets into -stable
and mainline soon.

Thanks for resending Joy.

Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

[Alexey Dobriyan]

[removing l-k from CC, and switching to netdev]

Please, send your .config.
Is it reproducible?

On Mon, Feb 12, 2007 at 03:16:04PM +0100, Charles-Edouard Ruault wrote:
> i upgraded to vanilla kernel 2.6.20 and while i was using strongswan 
> 2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
> I had successfully established the same tunnel a few times, but key 
> renegotiation caused a problem ( both ends did not renegotiate at the 
> same time so the tunnel was frozen ), i decided to kill the tunnel and 
> start a new one ( using ipsec auto --down tunnel & ipsec auto --up 
> tunnel ), while i was doing so, i got the oops.
> 
> BUG: unable to handle kernel NULL pointer dereference at virtual address 
> 00000188
> printing eip:
> c02fb85c
> *pde = 00000000
> Oops: 0000 [#1]
> PREEMPT
> Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish 
> twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1 
> crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100 
> hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns 
> ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter 
> ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK 
> iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus 
> video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod 
> libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus 
> ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event 
> snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc 
> snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart 
> i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
> CPU:    0
> EIP:    0060:[<c02fb85c>]    Not tainted VLI
> EFLAGS: 00010246   (2.6.20 #1)
> EIP is at xfrm_audit_log+0x4cc/0x580
> eax: ecb71061   ebx: c039d160   ecx: 00000000   edx: 00000021
> esi: 000001f4   edi: 00000255   ebp: 00000000   esp: e8cd5a18
> ds: 007b   es: 007b   ss: 0068
> Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
> Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001 
> 00000003
>       f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000 
> 00000286
>       f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67 
> 00000000
> Call Trace:
> [<c011506b>] __wake_up+0x4b/0x80
> [<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
> [<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
> [<c011d90e>] local_bh_enable+0x2e/0xa0
> [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
> [<c0305e50>] xfrm_get_policy+0x0/0x2f0
> [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
> [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
> [<c02b3782>] netlink_run_queue+0x82/0x120
> [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
> [<c02b3d42>] netlink_data_ready+0x12/0x50
> [<c02b2931>] netlink_sendskb+0x21/0x40
> [<c02b3c50>] netlink_sendmsg+0x230/0x310
> [<c02993cd>] sock_aio_write+0x11d/0x130
> [<c01d538a>] avc_has_perm+0x5a/0x70
> [<c0163ed5>] do_sync_write+0xd5/0x120
> [<c012c960>] autoremove_wake_function+0x0/0x50
> [<c01648c7>] vfs_write+0x177/0x180
> [<c0164ea1>] sys_write+0x41/0x70
> [<c0102f14>] syscall_call+0x7/0xb
> =======================
> Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24 
> 48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91 
> 88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
> EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18
> 
> I'm running a vanilla 2.6.20 kernel on a Fedora Core 5 box on an athlon 
> processor:
> cat /proc/cpuinfo
> processor       : 0
> vendor_id       : AuthenticAMD
> cpu family      : 6
> model           : 8
> model name      : AMD Athlon(TM) XP 2400+
> stepping        : 1
> cpu MHz         : 2000.256
> cache size      : 256 KB
> fdiv_bug        : no
> hlt_bug         : no
> f00f_bug        : no
> coma_bug        : no
> fpu             : yes
> fpu_exception   : yes
> cpuid level     : 1
> wp              : yes
> flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge 
> mca cmov pat pse36 mmx fxsr sse syscall mmxext 3dnowext 3dnow ts
> bogomips        : 4003.78
> clflush size    : 32
> 
> uname -a
> Linux machine 2.6.20 #1 PREEMPT Sat Feb 10 13:48:56 CET 2007 i686 athlon 
> i386 GNU/Linux
> 
> Please CC me in follow ups since i do not subscribe to the list.

[BUG] 2.6.20 Oopses in xfrm_audit_log

[Charles-Edouard Ruault]

Hi All,

i upgraded to vanilla kernel 2.6.20 and while i was using strongswan 
2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
I had successfully established the same tunnel a few times, but key 
renegotiation caused a problem ( both ends did not renegotiate at the 
same time so the tunnel was frozen ), i decided to kill the tunnel and 
start a new one ( using ipsec auto --down tunnel & ipsec auto --up 
tunnel ), while i was doing so, i got the oops.

BUG: unable to handle kernel NULL pointer dereference at virtual address 
00000188
 printing eip:
c02fb85c
*pde = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish 
twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1 
crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100 
hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns 
ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter 
ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK 
iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus 
video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod 
libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus 
ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event 
snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc 
snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart 
i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
CPU:    0
EIP:    0060:[<c02fb85c>]    Not tainted VLI
EFLAGS: 00010246   (2.6.20 #1)
EIP is at xfrm_audit_log+0x4cc/0x580
eax: ecb71061   ebx: c039d160   ecx: 00000000   edx: 00000021
esi: 000001f4   edi: 00000255   ebp: 00000000   esp: e8cd5a18
ds: 007b   es: 007b   ss: 0068
Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001 
00000003
       f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000 
00000286
       f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67 
00000000
Call Trace:
 [<c011506b>] __wake_up+0x4b/0x80
 [<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
 [<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
 [<c011d90e>] local_bh_enable+0x2e/0xa0
 [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
 [<c0305e50>] xfrm_get_policy+0x0/0x2f0
 [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
 [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
 [<c02b3782>] netlink_run_queue+0x82/0x120
 [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
 [<c02b3d42>] netlink_data_ready+0x12/0x50
 [<c02b2931>] netlink_sendskb+0x21/0x40
 [<c02b3c50>] netlink_sendmsg+0x230/0x310
 [<c02993cd>] sock_aio_write+0x11d/0x130
 [<c01d538a>] avc_has_perm+0x5a/0x70
 [<c0163ed5>] do_sync_write+0xd5/0x120
 [<c012c960>] autoremove_wake_function+0x0/0x50
 [<c01648c7>] vfs_write+0x177/0x180
 [<c0164ea1>] sys_write+0x41/0x70
 [<c0102f14>] syscall_call+0x7/0xb
 =======================
Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24 
48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91 
88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18

I'm running a vanilla 2.6.20 kernel on a Fedora Core 5 box on an athlon 
processor:
cat /proc/cpuinfo
processor       : 0
vendor_id       : AuthenticAMD
cpu family      : 6
model           : 8
model name      : AMD Athlon(TM) XP 2400+
stepping        : 1
cpu MHz         : 2000.256
cache size      : 256 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 1
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge 
mca cmov pat pse36 mmx fxsr sse syscall mmxext 3dnowext 3dnow ts
bogomips        : 4003.78
clflush size    : 32

uname -a
Linux machine 2.6.20 #1 PREEMPT Sat Feb 10 13:48:56 CET 2007 i686 athlon 
i386 GNU/Linux

Please CC me in follow ups since i do not subscribe to the list.
Thanks

-- 
Charles-Edouard Ruault
GPG key Id E4D2B80C