[IPSEC] XFRM_USER: kernel panic when large security contexts in ACQUIRE
When sending a security context of 50+ characters in an ACQUIRE
message, following kernel panic occurred.
kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781!
cpu 0x3: Vector: 700 (Program Check) at [
c0000000421bb2e0]
pc:
c00000000033b074: .xfrm_send_acquire+0x240/0x2c8
lr:
c00000000033b014: .xfrm_send_acquire+0x1e0/0x2c8
sp:
c0000000421bb560
msr:
8000000000029032
current = 0xc00000000fce8f00
paca = 0xc000000000464b00
pid = 2303, comm = ping
kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781!
enter ? for help
3:mon> t
[
c0000000421bb650]
c00000000033538c .km_query+0x6c/0xec
[
c0000000421bb6f0]
c000000000337374 .xfrm_state_find+0x7f4/0xb88
[
c0000000421bb7f0]
c000000000332350 .xfrm_tmpl_resolve+0xc4/0x21c
[
c0000000421bb8d0]
c0000000003326e8 .xfrm_lookup+0x1a0/0x5b0
[
c0000000421bba00]
c0000000002e6ea0 .ip_route_output_flow+0x88/0xb4
[
c0000000421bbaa0]
c0000000003106d8 .ip4_datagram_connect+0x218/0x374
[
c0000000421bbbd0]
c00000000031bc00 .inet_dgram_connect+0xac/0xd4
[
c0000000421bbc60]
c0000000002b11ac .sys_connect+0xd8/0x120
[
c0000000421bbd90]
c0000000002d38d0 .compat_sys_socketcall+0xdc/0x214
[
c0000000421bbe30]
c00000000000869c syscall_exit+0x0/0x40
--- Exception: c00 (System Call) at
0000000007f0ca9c
SP (
fc0ef8f0) is in userspace
We are using size of security context from xfrm_policy to determine
how much space to alloc skb and then putting security context from
xfrm_state into skb. Should have been using size of security context
from xfrm_state to alloc skb. Following fix does that
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
projects / openwrt / staging / blogic.git / commit