2007-02-12 14:17:16

by Charles-Edouard Ruault

[permalink] [raw]
Subject: [BUG] 2.6.20 Oopses in xfrm_audit_log

Hi All,

i upgraded to vanilla kernel 2.6.20 and while i was using strongswan
2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
I had successfully established the same tunnel a few times, but key
renegotiation caused a problem ( both ends did not renegotiate at the
same time so the tunnel was frozen ), i decided to kill the tunnel and
start a new one ( using ipsec auto --down tunnel & ipsec auto --up
tunnel ), while i was doing so, i got the oops.

BUG: unable to handle kernel NULL pointer dereference at virtual address
00000188
printing eip:
c02fb85c
*pde = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish
twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1
crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100
hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns
ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter
ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK
iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus
video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod
libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus
ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event
snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc
snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart
i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
CPU: 0
EIP: 0060:[<c02fb85c>] Not tainted VLI
EFLAGS: 00010246 (2.6.20 #1)
EIP is at xfrm_audit_log+0x4cc/0x580
eax: ecb71061 ebx: c039d160 ecx: 00000000 edx: 00000021
esi: 000001f4 edi: 00000255 ebp: 00000000 esp: e8cd5a18
ds: 007b es: 007b ss: 0068
Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001
00000003
f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000
00000286
f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67
00000000
Call Trace:
[<c011506b>] __wake_up+0x4b/0x80
[<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
[<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
[<c011d90e>] local_bh_enable+0x2e/0xa0
[<c0306107>] xfrm_get_policy+0x2b7/0x2f0
[<c0305e50>] xfrm_get_policy+0x0/0x2f0
[<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
[<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
[<c02b3782>] netlink_run_queue+0x82/0x120
[<c03045e8>] xfrm_netlink_rcv+0x28/0x40
[<c02b3d42>] netlink_data_ready+0x12/0x50
[<c02b2931>] netlink_sendskb+0x21/0x40
[<c02b3c50>] netlink_sendmsg+0x230/0x310
[<c02993cd>] sock_aio_write+0x11d/0x130
[<c01d538a>] avc_has_perm+0x5a/0x70
[<c0163ed5>] do_sync_write+0xd5/0x120
[<c012c960>] autoremove_wake_function+0x0/0x50
[<c01648c7>] vfs_write+0x177/0x180
[<c0164ea1>] sys_write+0x41/0x70
[<c0102f14>] syscall_call+0x7/0xb
=======================
Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24
48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91
88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18

I'm running a vanilla 2.6.20 kernel on a Fedora Core 5 box on an athlon
processor:
cat /proc/cpuinfo
processor : 0
vendor_id : AuthenticAMD
cpu family : 6
model : 8
model name : AMD Athlon(TM) XP 2400+
stepping : 1
cpu MHz : 2000.256
cache size : 256 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 mmx fxsr sse syscall mmxext 3dnowext 3dnow ts
bogomips : 4003.78
clflush size : 32

uname -a
Linux machine 2.6.20 #1 PREEMPT Sat Feb 10 13:48:56 CET 2007 i686 athlon
i386 GNU/Linux

Please CC me in follow ups since i do not subscribe to the list.
Thanks

--
Charles-Edouard Ruault
GPG key Id E4D2B80C


2007-02-12 18:00:58

by Joy Latten

[permalink] [raw]
Subject: Re:[BUG] 2.6.20 Oopses in xfrm_audit_log

>i upgraded to vanilla kernel 2.6.20 and while i was using strongswan
>2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
>I had successfully established the same tunnel a few times, but key
>renegotiation caused a problem ( both ends did not renegotiate at the
>same time so the tunnel was frozen ), i decided to kill the tunnel and
>start a new one ( using ipsec auto --down tunnel & ipsec auto --up
>tunnel ), while i was doing so, i got the oops.
>
>BUG: unable to handle kernel NULL pointer dereference at virtual address
>00000188
> printing eip:
>c02fb85c
>*pde = 00000000
>Oops: 0000 [#1]
>PREEMPT
>Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish
>twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1
>crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100
>hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns
>ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter
>ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK
>iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus
>video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod
>libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus
>ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event
>snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc
>snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart
>i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
>CPU: 0
>EIP: 0060:[<c02fb85c>] Not tainted VLI
>EFLAGS: 00010246 (2.6.20 #1)
>EIP is at xfrm_audit_log+0x4cc/0x580
>eax: ecb71061 ebx: c039d160 ecx: 00000000 edx: 00000021
>esi: 000001f4 edi: 00000255 ebp: 00000000 esp: e8cd5a18
>ds: 007b es: 007b ss: 0068
>Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
>Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001
>00000003
> f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000
>00000286
> f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67
>00000000
>Call Trace:
> [<c011506b>] __wake_up+0x4b/0x80
> [<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
> [<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
> [<c011d90e>] local_bh_enable+0x2e/0xa0
> [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
> [<c0305e50>] xfrm_get_policy+0x0/0x2f0
> [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
> [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
> [<c02b3782>] netlink_run_queue+0x82/0x120
> [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
> [<c02b3d42>] netlink_data_ready+0x12/0x50
> [<c02b2931>] netlink_sendskb+0x21/0x40
> [<c02b3c50>] netlink_sendmsg+0x230/0x310
> [<c02993cd>] sock_aio_write+0x11d/0x130
> [<c01d538a>] avc_has_perm+0x5a/0x70
> [<c0163ed5>] do_sync_write+0xd5/0x120
> [<c012c960>] autoremove_wake_function+0x0/0x50
> [<c01648c7>] vfs_write+0x177/0x180
> [<c0164ea1>] sys_write+0x41/0x70
> [<c0102f14>] syscall_call+0x7/0xb
> =======================
>Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24
>48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91
>88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
>EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18
>
>

This is similar to another bug reported last month.
Here is the patch I sent out then. Please let me know
how it goes.

Regards,
Joy

Signed-off-by: Joy Latten <[email protected]>


diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_policy.c linux-2.6.19/net/xfrm/xfrm_policy.c
--- linux-2.6.19.orig/net/xfrm/xfrm_policy.c 2007-01-02 14:24:14.000000000 -0600
+++ linux-2.6.19/net/xfrm/xfrm_policy.c 2007-01-02 14:28:24.000000000 -0600
@@ -2003,6 +2003,9 @@ void xfrm_audit_log(uid_t auid, u32 sid,
if (audit_enabled == 0)
return;

+ if ((x == NULL) && (xp == NULL))
+ return;
+
audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
if (audit_buf == NULL)
return;
diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_user.c linux-2.6.19/net/xfrm/xfrm_user.c
--- linux-2.6.19.orig/net/xfrm/xfrm_user.c 2007-01-02 14:24:14.000000000 -0600
+++ linux-2.6.19/net/xfrm/xfrm_user.c 2007-01-02 14:28:14.000000000 -0600
@@ -1268,10 +1268,6 @@ static int xfrm_get_policy(struct sk_buf
xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
security_xfrm_policy_free(&tmp);
}
- if (delete)
- xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
-
if (xp == NULL)
return -ENOENT;

@@ -1289,6 +1285,10 @@ static int xfrm_get_policy(struct sk_buf
} else {
if ((err = security_xfrm_policy_delete(xp)) != 0)
goto out;
+
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
+
c.data.byid = p->index;
c.event = nlh->nlmsg_type;
c.seq = nlh->nlmsg_seq;

2007-02-12 20:50:09

by David Miller

[permalink] [raw]
Subject: Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

From: Joy Latten <[email protected]>
Date: Mon, 12 Feb 2007 11:44:30 -0600

> This is similar to another bug reported last month.
> Here is the patch I sent out then. Please let me know
> how it goes.
>
> Regards,
> Joy
>
> Signed-off-by: Joy Latten <[email protected]>

This one is my bad, I should have gotten around to properly
reviewing this patch before 2.6.20-final went out. I'll
up the priority on this one to make sure it gets into -stable
and mainline soon.

Thanks for resending Joy.

2007-02-12 21:04:47

by Charles-Edouard Ruault

[permalink] [raw]
Subject: Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

Joy Latten wrote:
>> i upgraded to vanilla kernel 2.6.20 and while i was using strongswan
>> 2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
>> I had successfully established the same tunnel a few times, but key
>> renegotiation caused a problem ( both ends did not renegotiate at the
>> same time so the tunnel was frozen ), i decided to kill the tunnel and
>> start a new one ( using ipsec auto --down tunnel & ipsec auto --up
>> tunnel ), while i was doing so, i got the oops.
>>
>> BUG: unable to handle kernel NULL pointer dereference at virtual address
>> 00000188
>> printing eip:
>> c02fb85c
>> *pde = 00000000
>> Oops: 0000 [#1]
>> PREEMPT
>> Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish
>> twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1
>> crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100
>> hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns
>> ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter
>> ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK
>> iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus
>> video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod
>> libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus
>> ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event
>> snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc
>> snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart
>> i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
>> CPU: 0
>> EIP: 0060:[<c02fb85c>] Not tainted VLI
>> EFLAGS: 00010246 (2.6.20 #1)
>> EIP is at xfrm_audit_log+0x4cc/0x580
>> eax: ecb71061 ebx: c039d160 ecx: 00000000 edx: 00000021
>> esi: 000001f4 edi: 00000255 ebp: 00000000 esp: e8cd5a18
>> ds: 007b es: 007b ss: 0068
>> Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
>> Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001
>> 00000003
>> f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000
>> 00000286
>> f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67
>> 00000000
>> Call Trace:
>> [<c011506b>] __wake_up+0x4b/0x80
>> [<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
>> [<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
>> [<c011d90e>] local_bh_enable+0x2e/0xa0
>> [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
>> [<c0305e50>] xfrm_get_policy+0x0/0x2f0
>> [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
>> [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
>> [<c02b3782>] netlink_run_queue+0x82/0x120
>> [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
>> [<c02b3d42>] netlink_data_ready+0x12/0x50
>> [<c02b2931>] netlink_sendskb+0x21/0x40
>> [<c02b3c50>] netlink_sendmsg+0x230/0x310
>> [<c02993cd>] sock_aio_write+0x11d/0x130
>> [<c01d538a>] avc_has_perm+0x5a/0x70
>> [<c0163ed5>] do_sync_write+0xd5/0x120
>> [<c012c960>] autoremove_wake_function+0x0/0x50
>> [<c01648c7>] vfs_write+0x177/0x180
>> [<c0164ea1>] sys_write+0x41/0x70
>> [<c0102f14>] syscall_call+0x7/0xb
>> =======================
>> Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24
>> 48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91
>> 88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
>> EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18
>>
>>
>>
>
> This is similar to another bug reported last month.
> Here is the patch I sent out then. Please let me know
> how it goes.
>
> Regards,
> Joy
>
> Signed-off-by: Joy Latten <[email protected]>
>
>
> diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_policy.c linux-2.6.19/net/xfrm/xfrm_policy.c
> --- linux-2.6.19.orig/net/xfrm/xfrm_policy.c 2007-01-02 14:24:14.000000000 -0600
> +++ linux-2.6.19/net/xfrm/xfrm_policy.c 2007-01-02 14:28:24.000000000 -0600
> @@ -2003,6 +2003,9 @@ void xfrm_audit_log(uid_t auid, u32 sid,
> if (audit_enabled == 0)
> return;
>
> + if ((x == NULL) && (xp == NULL))
> + return;
> +
> audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
> if (audit_buf == NULL)
> return;
> diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_user.c linux-2.6.19/net/xfrm/xfrm_user.c
> --- linux-2.6.19.orig/net/xfrm/xfrm_user.c 2007-01-02 14:24:14.000000000 -0600
> +++ linux-2.6.19/net/xfrm/xfrm_user.c 2007-01-02 14:28:14.000000000 -0600
> @@ -1268,10 +1268,6 @@ static int xfrm_get_policy(struct sk_buf
> xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
> security_xfrm_policy_free(&tmp);
> }
> - if (delete)
> - xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> - AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
> -
> if (xp == NULL)
> return -ENOENT;
>
> @@ -1289,6 +1285,10 @@ static int xfrm_get_policy(struct sk_buf
> } else {
> if ((err = security_xfrm_policy_delete(xp)) != 0)
> goto out;
> +
> + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> + AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
> +
> c.data.byid = p->index;
> c.event = nlh->nlmsg_type;
> c.seq = nlh->nlmsg_seq;
>
Thanks for the quick reply & for the patch.
I'm recompiling as i write this email. I'll let you know if i experience
the problem again !
Regards.

--
Charles-Edouard Ruault
PGP Key ID E4D2B80C

2007-02-12 21:46:31

by David Miller

[permalink] [raw]
Subject: Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

From: Joy Latten <[email protected]>
Date: Mon, 12 Feb 2007 11:44:30 -0600

> This is similar to another bug reported last month.
> Here is the patch I sent out then. Please let me know
> how it goes.
>
> Signed-off-by: Joy Latten <[email protected]>

This whole interface is a complete mess.

Calling xfrm_audit_log() without the proper object being non-NULL
should be a bug. And that's exactly what you fixed in the xfrm_user
case, so there is zero reason to silently allow this condition, we
should just BUG() on it.

But the logging function has this "result" thing, that in some cases
is set to 1 if "xp" or "x" is not-NULL by the callers, this is just
silly.

You can't log the event if the proper object is NULL, so the "result"
parameter and log information is useless in those cases.

Also, you missed the same exact identical bug in the AF_KEY code.

Thus, below is the patch I will use to fix this bug:

1) Calling xfrm_audit_log() with a NULL object is a BUG()
2) Setting "result" based upon NULL'ness of the object makes no
sense, either set it to "1" in these cases or use an appropriate
error check.

How does this look to others?

diff --git a/net/key/af_key.c b/net/key/af_key.c
index f3a026f..1c58204 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2297,16 +2297,17 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg
&sel, tmp.security, 1);
security_xfrm_policy_free(&tmp);

- xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
-
if (xp == NULL)
return -ENOENT;

- err = 0;
+ err = security_xfrm_policy_delete(xp);

- if ((err = security_xfrm_policy_delete(xp)))
+ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+ AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+
+ if (err)
goto out;
+
c.seq = hdr->sadb_msg_seq;
c.pid = hdr->sadb_msg_pid;
c.event = XFRM_MSG_DELPOLICY;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index a24f385..c394b41 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1997,9 +1997,14 @@ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
if (audit_enabled == 0)
return;

+ BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||
+ type == AUDIT_MAC_IPSEC_DELSA) && !x);
+ BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||
+ type == AUDIT_MAC_IPSEC_DELSPD) && !xp);
+
audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
if (audit_buf == NULL)
- return;
+ return;

switch(type) {
case AUDIT_MAC_IPSEC_ADDSA:
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index d55436d..2567453 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1273,10 +1273,6 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
security_xfrm_policy_free(&tmp);
}
- if (delete)
- xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
-
if (xp == NULL)
return -ENOENT;

@@ -1292,8 +1288,14 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
MSG_DONTWAIT);
}
} else {
- if ((err = security_xfrm_policy_delete(xp)) != 0)
+ err = security_xfrm_policy_delete(xp);
+
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+
+ if (err != 0)
goto out;
+
c.data.byid = p->index;
c.event = nlh->nlmsg_type;
c.seq = nlh->nlmsg_seq;

2007-02-13 01:02:30

by James Morris

[permalink] [raw]
Subject: Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

On Mon, 12 Feb 2007, David Miller wrote:

> Thus, below is the patch I will use to fix this bug:
>
> 1) Calling xfrm_audit_log() with a NULL object is a BUG()
> 2) Setting "result" based upon NULL'ness of the object makes no
> sense, either set it to "1" in these cases or use an appropriate
> error check.
>
> How does this look to others?

Looks good to me.


--
James Morris
<[email protected]>

2007-02-15 08:22:58

by Charles-Edouard Ruault

[permalink] [raw]
Subject: Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

Joy Latten wrote:
>> i upgraded to vanilla kernel 2.6.20 and while i was using strongswan
>> 2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
>> I had successfully established the same tunnel a few times, but key
>> renegotiation caused a problem ( both ends did not renegotiate at the
>> same time so the tunnel was frozen ), i decided to kill the tunnel and
>> start a new one ( using ipsec auto --down tunnel & ipsec auto --up
>> tunnel ), while i was doing so, i got the oops.
>>
>> BUG: unable to handle kernel NULL pointer dereference at virtual address
>> 00000188
>> printing eip:
>> c02fb85c
>> *pde = 00000000
>> Oops: 0000 [#1]
>> PREEMPT
>> Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish
>> twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1
>> crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100
>> hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns
>> ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter
>> ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK
>> iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus
>> video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod
>> libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus
>> ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event
>> snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc
>> snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart
>> i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
>> CPU: 0
>> EIP: 0060:[<c02fb85c>] Not tainted VLI
>> EFLAGS: 00010246 (2.6.20 #1)
>> EIP is at xfrm_audit_log+0x4cc/0x580
>> eax: ecb71061 ebx: c039d160 ecx: 00000000 edx: 00000021
>> esi: 000001f4 edi: 00000255 ebp: 00000000 esp: e8cd5a18
>> ds: 007b es: 007b ss: 0068
>> Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
>> Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001
>> 00000003
>> f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000
>> 00000286
>> f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67
>> 00000000
>> Call Trace:
>> [<c011506b>] __wake_up+0x4b/0x80
>> [<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
>> [<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
>> [<c011d90e>] local_bh_enable+0x2e/0xa0
>> [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
>> [<c0305e50>] xfrm_get_policy+0x0/0x2f0
>> [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
>> [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
>> [<c02b3782>] netlink_run_queue+0x82/0x120
>> [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
>> [<c02b3d42>] netlink_data_ready+0x12/0x50
>> [<c02b2931>] netlink_sendskb+0x21/0x40
>> [<c02b3c50>] netlink_sendmsg+0x230/0x310
>> [<c02993cd>] sock_aio_write+0x11d/0x130
>> [<c01d538a>] avc_has_perm+0x5a/0x70
>> [<c0163ed5>] do_sync_write+0xd5/0x120
>> [<c012c960>] autoremove_wake_function+0x0/0x50
>> [<c01648c7>] vfs_write+0x177/0x180
>> [<c0164ea1>] sys_write+0x41/0x70
>> [<c0102f14>] syscall_call+0x7/0xb
>> =======================
>> Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24
>> 48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91
>> 88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
>> EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18
>>
>>
>>
>
> This is similar to another bug reported last month.
> Here is the patch I sent out then. Please let me know
> how it goes.
>
> Regards,
> Joy
>
> Signed-off-by: Joy Latten <[email protected]>
>
>
> diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_policy.c linux-2.6.19/net/xfrm/xfrm_policy.c
> --- linux-2.6.19.orig/net/xfrm/xfrm_policy.c 2007-01-02 14:24:14.000000000 -0600
> +++ linux-2.6.19/net/xfrm/xfrm_policy.c 2007-01-02 14:28:24.000000000 -0600
> @@ -2003,6 +2003,9 @@ void xfrm_audit_log(uid_t auid, u32 sid,
> if (audit_enabled == 0)
> return;
>
> + if ((x == NULL) && (xp == NULL))
> + return;
> +
> audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
> if (audit_buf == NULL)
> return;
> diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_user.c linux-2.6.19/net/xfrm/xfrm_user.c
> --- linux-2.6.19.orig/net/xfrm/xfrm_user.c 2007-01-02 14:24:14.000000000 -0600
> +++ linux-2.6.19/net/xfrm/xfrm_user.c 2007-01-02 14:28:14.000000000 -0600
> @@ -1268,10 +1268,6 @@ static int xfrm_get_policy(struct sk_buf
> xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
> security_xfrm_policy_free(&tmp);
> }
> - if (delete)
> - xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> - AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
> -
> if (xp == NULL)
> return -ENOENT;
>
> @@ -1289,6 +1285,10 @@ static int xfrm_get_policy(struct sk_buf
> } else {
> if ((err = security_xfrm_policy_delete(xp)) != 0)
> goto out;
> +
> + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> + AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
> +
> c.data.byid = p->index;
> c.event = nlh->nlmsg_type;
> c.seq = nlh->nlmsg_seq;
>
Hi Joy,
just to let you know that since i've applied you patch, everything is
running smoothly for me.
Thanks again.

--
Charles-Edouard Ruault
GPG key Id E4D2B80C

2007-02-26 10:36:45

by Charles-Edouard Ruault

[permalink] [raw]
Subject: Re: [BUG] 2.6.20 Oopses in xfrm_audit_log

Joy Latten wrote:
>> i upgraded to vanilla kernel 2.6.20 and while i was using strongswan
>> 2.8.2 to setup an IPSEC VPN i got the following kernel Ooops.
>> I had successfully established the same tunnel a few times, but key
>> renegotiation caused a problem ( both ends did not renegotiate at the
>> same time so the tunnel was frozen ), i decided to kill the tunnel and
>> start a new one ( using ipsec auto --down tunnel & ipsec auto --up
>> tunnel ), while i was doing so, i got the oops.
>>
>> BUG: unable to handle kernel NULL pointer dereference at virtual address
>> 00000188
>> printing eip:
>> c02fb85c
>> *pde = 00000000
>> Oops: 0000 [#1]
>> PREEMPT
>> Modules linked in: xfrm4_mode_tunnel usblp deflate zlib_deflate twofish
>> twofish_common serpent blowfish des cbc ecb blkcipher xcbc sha256 sha1
>> crypto_null xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 asb100
>> hwmon_vid hidp rfcomm l2cap bluetooth sunrpc nf_conntrack_netbios_ns
>> ipt_LOG xt_limit xt_mark xt_state xt_tcpudp iptable_filter
>> ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_MARK
>> iptable_mangle ip_tables x_tables binfmt_misc sd_mod ipv6 sg hfsplus
>> video button ac lp parport_pc parport floppy nvram usb_storage scsi_mod
>> libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec ac97_bus
>> ohci1394 snd_seq_dummy uhci_hcd ieee1394 snd_seq_oss snd_seq_midi_event
>> snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc
>> snd_mpu401_uart snd_rawmidi snd_seq_device snd via_agp agpgart
>> i2c_viapro soundcore eepro100 i2c_core b44 pcspkr mii shpchp usbcore dm_mod
>> CPU: 0
>> EIP: 0060:[<c02fb85c>] Not tainted VLI
>> EFLAGS: 00010246 (2.6.20 #1)
>> EIP is at xfrm_audit_log+0x4cc/0x580
>> eax: ecb71061 ebx: c039d160 ecx: 00000000 edx: 00000021
>> esi: 000001f4 edi: 00000255 ebp: 00000000 esp: e8cd5a18
>> ds: 007b es: 007b ss: 0068
>> Process pluto (pid: 27486, ti=e8cd4000 task=d3557070 task.ti=e8cd4000)
>> Stack: c17d2ea0 c0354bf1 e183f9c0 00000003 c03ac59c e1399800 00000001
>> 00000003
>> f8d0a450 00000000 00000001 00000286 e8cd5a6c c011506b 00000000
>> 00000286
>> f73cb8c0 00000246 c17d2ea0 00000000 00000000 f73cb8c0 f8d03c67
>> 00000000
>> Call Trace:
>> [<c011506b>] __wake_up+0x4b/0x80
>> [<f8d03c67>] pfkey_broadcast+0x137/0x1b0 [af_key]
>> [<f8d03e5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
>> [<c011d90e>] local_bh_enable+0x2e/0xa0
>> [<c0306107>] xfrm_get_policy+0x2b7/0x2f0
>> [<c0305e50>] xfrm_get_policy+0x0/0x2f0
>> [<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
>> [<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
>> [<c02b3782>] netlink_run_queue+0x82/0x120
>> [<c03045e8>] xfrm_netlink_rcv+0x28/0x40
>> [<c02b3d42>] netlink_data_ready+0x12/0x50
>> [<c02b2931>] netlink_sendskb+0x21/0x40
>> [<c02b3c50>] netlink_sendmsg+0x230/0x310
>> [<c02993cd>] sock_aio_write+0x11d/0x130
>> [<c01d538a>] avc_has_perm+0x5a/0x70
>> [<c0163ed5>] do_sync_write+0xd5/0x120
>> [<c012c960>] autoremove_wake_function+0x0/0x50
>> [<c01648c7>] vfs_write+0x177/0x180
>> [<c0164ea1>] sys_write+0x41/0x70
>> [<c0102f14>] syscall_call+0x7/0xb
>> =======================
>> Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24
>> 48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91
>> 88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
>> EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:e8cd5a18
>>
>>
>>
>
> This is similar to another bug reported last month.
> Here is the patch I sent out then. Please let me know
> how it goes.
>
> Regards,
> Joy
>
> Signed-off-by: Joy Latten <[email protected]>
>
>
> diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_policy.c linux-2.6.19/net/xfrm/xfrm_policy.c
> --- linux-2.6.19.orig/net/xfrm/xfrm_policy.c 2007-01-02 14:24:14.000000000 -0600
> +++ linux-2.6.19/net/xfrm/xfrm_policy.c 2007-01-02 14:28:24.000000000 -0600
> @@ -2003,6 +2003,9 @@ void xfrm_audit_log(uid_t auid, u32 sid,
> if (audit_enabled == 0)
> return;
>
> + if ((x == NULL) && (xp == NULL))
> + return;
> +
> audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
> if (audit_buf == NULL)
> return;
> diff -urpN linux-2.6.19.orig/net/xfrm/xfrm_user.c linux-2.6.19/net/xfrm/xfrm_user.c
> --- linux-2.6.19.orig/net/xfrm/xfrm_user.c 2007-01-02 14:24:14.000000000 -0600
> +++ linux-2.6.19/net/xfrm/xfrm_user.c 2007-01-02 14:28:14.000000000 -0600
> @@ -1268,10 +1268,6 @@ static int xfrm_get_policy(struct sk_buf
> xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
> security_xfrm_policy_free(&tmp);
> }
> - if (delete)
> - xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> - AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
> -
> if (xp == NULL)
> return -ENOENT;
>
> @@ -1289,6 +1285,10 @@ static int xfrm_get_policy(struct sk_buf
> } else {
> if ((err = security_xfrm_policy_delete(xp)) != 0)
> goto out;
> +
> + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> + AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
> +
> c.data.byid = p->index;
> c.event = nlh->nlmsg_type;
> c.seq = nlh->nlmsg_seq;
>
Joy,
a quick email to let you know that i got the oops again this morning
with a 2.6.20 patched with the above fix.
I'm going to rebuild a vanilla kernel patched with the patched sent by
David Miller in follow up to your previous conversation.

Here's the dump:

BUG: unable to handle kernel NULL pointer dereference at virtual address
00000188
printing eip:
c02fb85c
*pde = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in: stir4200 irda crc_ccitt ppdev vmnet(P) vmmon(P) loop
usblp nls_iso8859_1 nls_cp437 vfat fat xfrm4_mode_tunnel deflate
zlib_deflate twofish twofish_common serpent blowfish des cbc ecb
blkcipher xcbc sha256 sha1 crypto_null xfrm4_tunnel tunnel4 ipcomp esp4
ah4 af_key autofs4 asb100 hwmon_vid hidp rfcomm l2cap bluetooth sunrpc
nf_conntrack_netbios_ns ipt_LOG xt_limit xt_mark xt_state xt_tcpudp
iptable_filter ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4
xt_MARK iptable_mangle ip_tables x_tables binfmt_misc ipv6 sd_mod sg
hfsplus video button ac lp parport_pc parport floppy nvram usb_storage
scsi_mod libusual usbhid hid ehci_hcd snd_via82xx snd_ac97_codec
uhci_hcd ac97_bus ohci1394 snd_seq_dummy ieee1394 snd_seq_oss
snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer
snd_page_alloc snd_mpu401_uart snd_rawmidi snd_seq_device snd shpchp
i2c_viapro b44 soundcore pcspkr i2c_core eepro100 mii via_agp agpgart
usbcore dm_mod
CPU: 0
EIP: 0060:[<c02fb85c>] Tainted: P M VLI
EFLAGS: 00010246 (2.6.20 #1)
EIP is at xfrm_audit_log+0x4cc/0x580
eax: c4f3a86b ebx: c039d160 ecx: 00000000 edx: 00000023
esi: ffffffff edi: 00000031 ebp: 00000000 esp: deb71a18
ds: 007b es: 007b ss: 0068
Process pluto (pid: 3847, ti=deb70000 task=e1b82050 task.ti=deb70000)
Stack: c17d2e60 c0354bf1 ecce48e0 00000003 c03ac59c e18b2400 00000001
00000003
f8ce1450 00000000 00000001 00000286 deb71a6c c011506b 00000000
00000286
efdde780 00000246 c17d2e60 00000000 00000000 efdde780 f8cdac67
00000000
Call Trace:
[<c011506b>] __wake_up+0x4b/0x80
[<f8cdac67>] pfkey_broadcast+0x137/0x1b0 [af_key]
[<f8cdae5f>] pfkey_send_policy_notify+0xef/0x1a0 [af_key]
[<c011d90e>] local_bh_enable+0x2e/0xa0
[<c0306107>] xfrm_get_policy+0x2b7/0x2f0
[<c0305e50>] xfrm_get_policy+0x0/0x2f0
[<c0304702>] xfrm_user_rcv_msg+0x102/0x1b0
[<c0304600>] xfrm_user_rcv_msg+0x0/0x1b0
[<c02b3782>] netlink_run_queue+0x82/0x120
[<c03045e8>] xfrm_netlink_rcv+0x28/0x40
[<c02b3d42>] netlink_data_ready+0x12/0x50
[<c02b2931>] netlink_sendskb+0x21/0x40
[<c02b3c50>] netlink_sendmsg+0x230/0x310
[<c02993cd>] sock_aio_write+0x11d/0x130
[<c01d538a>] avc_has_perm+0x5a/0x70
[<c0163ed5>] do_sync_write+0xd5/0x120
[<c012c960>] autoremove_wake_function+0x0/0x50
[<c01648c7>] vfs_write+0x177/0x180
[<c0164ea1>] sys_write+0x41/0x70
[<c0102f14>] syscall_call+0x7/0xb
=======================
Code: 8b 44 24 70 c1 e2 08 c1 e8 08 09 c2 0f b7 c2 89 44 24 08 8b 44 24
48 89 04 24 e8 10 eb e3 ff e9 bc fc ff ff 8b 8c 24 c0 00 00 00 <8b> 91
88 01 00 00 0f b7 99 82 00 00 00 85 d2 0f 85 64 fc ff ff
EIP: [<c02fb85c>] xfrm_audit_log+0x4cc/0x580 SS:ESP 0068:deb71a18



--
Charles-Edouard Ruault
GPG key Id E4D2B80C