Hi,
Using Kenel 4.4.8 on armv7 using Libreswan v3.17 w/ one upstream patch
(0001-KLIPS-Fix-for-proc-net-pf_key-oops-on-4.4-kernels-in.patch) I experienced
kernel crash which looks like a bug in the key_pid assignment.
In the past this define (key_pid) used the sk->sk_protinfo and saved the pid
within this pointer, lately this define was changed to:
# define key_pid(sk) ((struct key_opt*)&(sk))->key_pid
Using this in the pfkey_create() basically overwrites the sk pointer and
crashes the kernel.
KLIPS was built using OCF configurations and disabled CryptoAPI
(CONFIG_KLIPS_ENC_CRYPTOAPI=n)
Following is the crash info:
# insmod /lib/modules/ocf.ko
[ 20.163548] ocf: module license 'BSD' taints kernel.
[ 20.168529] Disabling lock debugging due to kernel taint
# insmod /lib/modules/cryptosoft.ko
# insmod /lib/modules/ipsec.ko
[ 28.064028] klips_info:ipsec_init: KLIPS startup, Libreswan KLIPS IPsec
stack version: 3.17
[ 28.072490] NET: Registered protocol family 15
[ 28.077607] registered KLIPS /proc/sys/net
[ 28.081540] klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255,
AALG_MAX=255)
[ 28.089753] klips_info:ipsec_alg_init: calling ipsec_alg_static_init()
[ 28.096305] ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0
[ 28.102419] ipsec_aes_init(alg_type=14 alg_id=9 name=aes_mac): ret=0
[ 28.108788] ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
# ipsec start
[ 42.622676] Unable to handle kernel NULL pointer dereference at virtual
address 00000044
[ 42.630788] pgd = def44000
[ 42.633509] [00000044] *pgd=1f57d831, *pte=00000000, *ppte=00000000
[ 42.639824] Internal error: Oops: 17 [#1] SMP ARM
[ 42.644536] Modules linked in: ipsec(O) cryptosoft(O) ocf(PO)
[ 42.650337] CPU: 1 PID: 1624 Comm: eroute Tainted: P O
4.4.8-devel-16.05.0-00391-g6fbf121-dirty #1
[ 42.660446] Hardware name: Marvell Armada 380/385 (Device Tree)
[ 42.666377] task: decdf5c0 ti: df594000 task.ti: df594000
[ 42.671806] PC is at pfkey_create+0x1b8/0x2f8 [ipsec]
[ 42.676884] LR is at pfkey_create+0x1b0/0x2f8 [ipsec]
[ 42.681945] pc : [<bf024ff0>] lr : [<bf024fe8>] psr: 60060013
[ 42.681945] sp : df595f28 ip : 00000001 fp : 000318d0
[ 42.693447] r10: 00000000 r9 : 00000000 r8 : 00000001
[ 42.698682] r7 : bf066a6c r6 : 00000000 r5 : df094080 r4 : bf066a6c
[ 42.705222] r3 : 00000044 r2 : 00000000 r1 : bf064100 r0 : bf06706c
[ 42.711764] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
[ 42.718913] Control: 10c5387d Table: 1ef4404a DAC: 00000051
[ 42.724670] Process eroute (pid: 1624, stack limit = 0xdf594220)
[ 42.730688] Stack: (0xdf595f28 to 0xdf596000)
[ 42.735053] 5f20: 00000000 00000002 df594000 00000000
0000000f bf024e38
[ 42.743250] 5f40: bf0641a4 df094080 c07fed80 00000002 0000003c c0504200
00000000 00000003
[ 42.751446] 5f60: decdf5c0 00000119 c000f984 df594000 00000000 c0505484
df595f8c 00000000
[ 42.759642] 5f80: 00000008 00000000 00000000 c0036250 00800000 b6f2bdf0
0001cae4 00000000
[ 42.767838] 5fa0: 00000119 c000f7c0 b6f2bdf0 0001cae4 0000000f 00000003
00000002 00031880
[ 42.776034] 5fc0: b6f2bdf0 0001cae4 00000000 00000119 00031880 00000002
bef80870 000318d0
[ 42.784229] 5fe0: b6ebeb50 bef80754 00014878 b6ebeb5c 60060010 0000000f
00000000 00000000
[ 42.792448] [<bf024ff0>] (pfkey_create [ipsec]) from [<c0504200>]
(__sock_create+0xe8/0x184)
[ 42.800910] [<c0504200>] (__sock_create) from [<c0505484>]
(SyS_socket+0x54/0xf0)
[ 42.808413] [<c0505484>] (SyS_socket) from [<c000f7c0>]
(ret_fast_syscall+0x0/0x3c)
[ 42.816088] Code: 1a000041 ebfffdcb e2863044 f593f000 (e1932f9f)
[ 42.822204] ---[ end trace 903ffd7ba3e83a7f ]---
[ 42.826835] Kernel panic - not syncing: Fatal exception in interrupt
[ 42.833202] CPU0: stopping
[ 42.835917] CPU: 0 PID: 0 Comm: swapper/0 Tainted: P D O
4.4.8-devel-16.05.0-00391-g6fbf121-dirty #1
[ 42.846027] Hardware name: Marvell Armada 380/385 (Device Tree)
[ 42.851966] [<c00176a8>] (unwind_backtrace) from [<c0013564>]
(show_stack+0x10/0x18)
[ 42.859729] [<c0013564>] (show_stack) from [<c02b5758>]
(dump_stack+0x8c/0xa4)
[ 42.866970] [<c02b5758>] (dump_stack) from [<c0016524>]
(handle_IPI+0x1d4/0x1f0)
[ 42.874382] [<c0016524>] (handle_IPI) from [<c000953c>]
(gic_handle_irq+0x84/0x90)
[ 42.881968] [<c000953c>] (gic_handle_irq) from [<c0014054>]
(__irq_svc+0x54/0x70)
[ 42.889466] Exception stack(0xc07c9f58 to 0xc07c9fa0)
[ 42.894527] 9f40:
00000000 dfbcf380
[ 42.902724] 9f60: 00060f5c c0020040 c07c8000 c07ca494 c07c2360 c05c23b0
c07c9fb0 c0804764
[ 42.910920] 9f80: c07ca4e0 00000000 00000000 c07c9fa8 c001029c c00102a0
600f0013 ffffffff
[ 42.919117] [<c0014054>] (__irq_svc) from [<c00102a0>]
(arch_cpu_idle+0x3c/0x44)
[ 42.926533] [<c00102a0>] (arch_cpu_idle) from [<c005ae10>]
(cpu_startup_entry+0x104/0x180)
[ 42.934818] [<c005ae10>] (cpu_startup_entry) from [<c077ac9c>]
(start_kernel+0x39c/0x3ac)
[ 42.943014] ---[ end Kernel panic - not syncing: Fatal exception in interrupt
To overcome this I simply changed the :
# define key_pid(sk) ((struct key_opt*)&(sk))->key_pid
To:
# define key_pid(sk) ((struct key_opt*)(sk))->key_pid
key_pid should be saved in sock struct w/o overwriting a valuable field.
/Ofer
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
