Commit cc01572e authored by Yossi Kuperman's avatar Yossi Kuperman Committed by Steffen Klassert

xfrm: Add SA to hardware at the end of xfrm_state_construct()

Current code configures the hardware with a new SA before the state has been
fully initialized. During this time interval, an incoming ESP packet can cause
a crash due to a NULL dereference. More specifically, xfrm_input() considers
the packet as valid, and yet, anti-replay mechanism is not initialized.

Move hardware configuration to the end of xfrm_state_construct(), and mark
the state as valid once the SA is fully initialized.

Fixes: d77e38e6 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: default avatarAviad Yehezkel <aviadye@mellnaox.com>
Signed-off-by: default avatarAviv Heller <avivh@mellanox.com>
Signed-off-by: default avatarYossi Kuperman <yossiku@mellanox.com>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent ad9294db
...@@ -2272,8 +2272,6 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload) ...@@ -2272,8 +2272,6 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload)
goto error; goto error;
} }
x->km.state = XFRM_STATE_VALID;
error: error:
return err; return err;
} }
...@@ -2282,7 +2280,13 @@ EXPORT_SYMBOL(__xfrm_init_state); ...@@ -2282,7 +2280,13 @@ EXPORT_SYMBOL(__xfrm_init_state);
int xfrm_init_state(struct xfrm_state *x) int xfrm_init_state(struct xfrm_state *x)
{ {
return __xfrm_init_state(x, true, false); int err;
err = __xfrm_init_state(x, true, false);
if (!err)
x->km.state = XFRM_STATE_VALID;
return err;
} }
EXPORT_SYMBOL(xfrm_init_state); EXPORT_SYMBOL(xfrm_init_state);
......
...@@ -598,13 +598,6 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, ...@@ -598,13 +598,6 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
goto error; goto error;
} }
if (attrs[XFRMA_OFFLOAD_DEV]) {
err = xfrm_dev_state_add(net, x,
nla_data(attrs[XFRMA_OFFLOAD_DEV]));
if (err)
goto error;
}
if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn, if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,
attrs[XFRMA_REPLAY_ESN_VAL]))) attrs[XFRMA_REPLAY_ESN_VAL])))
goto error; goto error;
...@@ -620,6 +613,14 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, ...@@ -620,6 +613,14 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
/* override default values from above */ /* override default values from above */
xfrm_update_ae_params(x, attrs, 0); xfrm_update_ae_params(x, attrs, 0);
/* configure the hardware if offload is requested */
if (attrs[XFRMA_OFFLOAD_DEV]) {
err = xfrm_dev_state_add(net, x,
nla_data(attrs[XFRMA_OFFLOAD_DEV]));
if (err)
goto error;
}
return x; return x;
error: error:
...@@ -662,6 +663,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, ...@@ -662,6 +663,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
goto out; goto out;
} }
if (x->km.state == XFRM_STATE_VOID)
x->km.state = XFRM_STATE_VALID;
c.seq = nlh->nlmsg_seq; c.seq = nlh->nlmsg_seq;
c.portid = nlh->nlmsg_pid; c.portid = nlh->nlmsg_pid;
c.event = nlh->nlmsg_type; c.event = nlh->nlmsg_type;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment