Commit 3bc07321 authored Mar 15, 2011 by Steffen Klassert Committed by David S. Miller Mar 27, 2011

xfrm: Force a dst refcount before entering the xfrm type handlers



Crypto requests might return asynchronous. In this case we leave
the rcu protected region, so force a refcount on the skb's
destination entry before we enter the xfrm type input/output
handlers.

This fixes a crash when a route is deleted whilst sending IPsec
data that is transformed by an asynchronous algorithm.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 1fbc7843

net/xfrm/xfrm_input.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -190,6 +190,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
		XFRM_SKB_CB(skb)->seq.input.low = seq;
		XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;

		skb_dst_force(skb);

		nexthdr = x->type->input(x, skb);

		if (nexthdr == -EINPROGRESS)

net/xfrm/xfrm_output.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -78,6 +78,8 @@ static int xfrm_output_one(struct sk_buff *skb, int err)

		spin_unlock_bh(&x->lock);

		skb_dst_force(skb);

		err = x->type->output(x, skb);
		if (err == -EINPROGRESS)
		goto out_exit;