linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Herbert Xu <herbert@gondor.apana.org.au>
To: "David S. Miller" <davem@davemloft.net>,
	Marco Berizzi <pupilla@hotmail.com>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: [IPSEC]: Use the correct ip_local_out function
Date: Tue, 20 May 2008 17:25:11 +0800	[thread overview]
Message-ID: <20080520092511.GA9005@gondor.apana.org.au> (raw)
In-Reply-To: <BAY103-DAV88950FC99CDE9EAAE27B2B2CE0@phx.gbl>

On Wed, May 14, 2008 at 10:19:57AM +0200, Marco Berizzi wrote:
> 
> I hope this helps.

OK found the problem, it was my fault after all :)

Dave, this patch needs to go into stable too.

[IPSEC]: Use the correct ip_local_out function

Because the IPsec output function xfrm_output_resume does its
own dst_output call it should always call __ip_local_output
instead of ip_local_output as the latter may invoke dst_output
directly.  Otherwise the return values from nf_hook and dst_output
may clash as they both use the value 1 but for different purposes.

When that clash occurs this can cause a packet to be used after
it has been freed which usually leads to a crash.  Because the
offending value is only returned from dst_output with qdiscs
such as HTB, this bug is normally not visible.

Thanks to Marco Berizzi for his perseverance in tracking this
down.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 92f90ae..df41026 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -160,7 +160,7 @@ static struct dst_ops ipv4_dst_ops = {
 	.negative_advice =	ipv4_negative_advice,
 	.link_failure =		ipv4_link_failure,
 	.update_pmtu =		ip_rt_update_pmtu,
-	.local_out =		ip_local_out,
+	.local_out =		__ip_local_out,
 	.entry_size =		sizeof(struct rtable),
 	.entries =		ATOMIC_INIT(0),
 };
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 12bba08..849b78a 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -109,7 +109,7 @@ static struct dst_ops ip6_dst_ops_template = {
 	.negative_advice	=	ip6_negative_advice,
 	.link_failure		=	ip6_link_failure,
 	.update_pmtu		=	ip6_rt_update_pmtu,
-	.local_out		=	ip6_local_out,
+	.local_out		=	__ip6_local_out,
 	.entry_size		=	sizeof(struct rt6_info),
 	.entries		=	ATOMIC_INIT(0),
 };

next prev parent reply	other threads:[~2008-05-20  9:25 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-04-28  9:25 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c Marco Berizzi
2008-04-28  9:42 ` David Miller
2008-04-28 10:18   ` Marco Berizzi
2008-04-29 14:37   ` Marco Berizzi
2008-05-02 12:02     ` Herbert Xu
2008-05-02 12:26       ` Marco Berizzi
2008-05-06 10:44         ` Marco Berizzi
2008-05-09  9:50           ` Marco Berizzi
2008-05-09 10:25             ` Herbert Xu
2008-05-09 10:28               ` Marco Berizzi
2008-05-09 11:11                 ` Ingo Molnar
2008-05-12  7:14               ` Marco Berizzi
2008-05-12  7:46                 ` Herbert Xu
2008-05-12  8:24                   ` Marco Berizzi
2008-05-12 15:06                     ` Marco Berizzi
2008-05-12 16:10                       ` Marco Berizzi
2008-05-14  8:19                         ` Marco Berizzi
2008-05-14 12:03                           ` Marco Berizzi
2008-05-14 12:21                             ` Herbert Xu
2008-05-14 12:32                               ` Marco Berizzi
2008-05-20  9:25                           ` Herbert Xu [this message]
2008-05-20 10:18                             ` [IPSEC]: Use the correct ip_local_out function Marco Berizzi
2008-05-20 21:32                             ` David Miller
2008-05-27  9:04                               ` Marco Berizzi
2008-06-07 20:27                               ` [patch 00/50] 2.6.25.6 -stable review Marco Berizzi
2008-06-07 20:43                                 ` Willy Tarreau
2008-06-08 11:56                                   ` Marco Berizzi
2008-06-08 12:36                                     ` Willy Tarreau
2008-06-08 14:10                                       ` David Miller
2008-06-08 14:19                                         ` Willy Tarreau
2008-06-08 15:38                                         ` Jay Cliburn
2008-06-08 16:06                                           ` Willy Tarreau
2008-06-08 20:07                                           ` Jeff Garzik
2008-06-09  2:26                                             ` David Miller
2008-05-05 14:01       ` 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c Marco Berizzi
2008-04-30 15:15 ` Herbert Xu

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:92f90ae dfblob:12bba08 dfblob:df41026 dfblob:849b78a
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080520092511.GA9005@gondor.apana.org.au \
    --to=herbert@gondor.apana.org.au \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pupilla@hotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).