Commit 3bc07321ccc236f693ce1b6a8786f0a2e38bb87e

Authored by Steffen Klassert
Committed by David S. Miller
1 parent 1fbc784392

xfrm: Force a dst refcount before entering the xfrm type handlers

Crypto requests might return asynchronous. In this case we leave
the rcu protected region, so force a refcount on the skb's
destination entry before we enter the xfrm type input/output
handlers.

This fixes a crash when a route is deleted whilst sending IPsec
data that is transformed by an asynchronous algorithm.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 2 changed files with 4 additions and 0 deletions Side-by-side Diff

net/xfrm/xfrm_input.c
... ... @@ -190,6 +190,8 @@
190 190 XFRM_SKB_CB(skb)->seq.input.low = seq;
191 191 XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
192 192  
  193 + skb_dst_force(skb);
  194 +
193 195 nexthdr = x->type->input(x, skb);
194 196  
195 197 if (nexthdr == -EINPROGRESS)
net/xfrm/xfrm_output.c
... ... @@ -78,6 +78,8 @@
78 78  
79 79 spin_unlock_bh(&x->lock);
80 80  
  81 + skb_dst_force(skb);
  82 +
81 83 err = x->type->output(x, skb);
82 84 if (err == -EINPROGRESS)
83 85 goto out_exit;