Commit 731e013e authored Jul 17, 2020 by Steffen Klassert Committed by Greg Kroah-Hartman Aug 05, 2020

xfrm: Fix crash when the hold queue is used.



[ Upstream commit 101dde4207f1daa1fda57d714814a03835dccc3f ]

The commits "xfrm: Move dst->path into struct xfrm_dst"
and "net: Create and use new helper xfrm_dst_child()."
changed xfrm bundle handling under the assumption
that xdst->path and dst->child are not a NULL pointer
only if dst->xfrm is not a NULL pointer. That is true
with one exception. If the xfrm hold queue is used
to wait until a SA is installed by the key manager,
we create a dummy bundle without a valid dst->xfrm
pointer. The current xfrm bundle handling crashes
in that case. Fix this by extending the NULL check
of dst->xfrm with a test of the DST_XFRM_QUEUE flag.

Fixes: 0f6c480f ("xfrm: Move dst->path into struct xfrm_dst")
Fixes: b92cf4aa ("net: Create and use new helper xfrm_dst_child().")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent a4c90288

include/net/xfrm.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -945,7 +945,7 @@ struct xfrm_dst {
		static inline struct dst_entry xfrm_dst_path(const struct dst_entry dst)
		{
		#ifdef CONFIG_XFRM
		if (dst->xfrm) {
		if (dst->xfrm \|\| (dst->flags & DST_XFRM_QUEUE)) {
		const struct xfrm_dst xdst = (const struct xfrm_dst ) dst;

		return xdst->path;
		@@ -957,7 +957,7 @@ static inline struct dst_entry xfrm_dst_path(const struct dst_entry dst)
		static inline struct dst_entry xfrm_dst_child(const struct dst_entry dst)
		{
		#ifdef CONFIG_XFRM
		if (dst->xfrm) {
		if (dst->xfrm \|\| (dst->flags & DST_XFRM_QUEUE)) {
		struct xfrm_dst xdst = (struct xfrm_dst ) dst;
		return xdst->child;
		}