Re: [IPSEC]: Use the correct ip_local_out function

(off-list ancestor, not in this archive)
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · David Miller <davem@davemloft.net> · 2008-04-28
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-04-28
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-04-29
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Herbert Xu <herbert@gondor.apana.org.au> · 2008-05-02
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-05-02
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-05-06
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-05-09
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Herbert Xu <herbert@gondor.apana.org.au> · 2008-05-09
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-05-09
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Ingo Molnar <hidden> · 2008-05-09
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-05-12
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Herbert Xu <herbert@gondor.apana.org.au> · 2008-05-12
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-05-12
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-05-12
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-05-12
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-05-14
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-05-14
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Herbert Xu <herbert@gondor.apana.org.au> · 2008-05-14
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-05-14
[IPSEC]: Use the correct ip_local_out function · Herbert Xu <herbert@gondor.apana.org.au> · 2008-05-20
Re: [IPSEC]: Use the correct ip_local_out function · Marco Berizzi <hidden> · 2008-05-20
Re: [IPSEC]: Use the correct ip_local_out function · David Miller <davem@davemloft.net> · 2008-05-20
Re: [IPSEC]: Use the correct ip_local_out function · Marco Berizzi <hidden> · 2008-05-27
Re: [patch 00/50] 2.6.25.6 -stable review · Marco Berizzi <hidden> · 2008-06-07
Re: [patch 00/50] 2.6.25.6 -stable review · Willy Tarreau <w@1wt.eu> · 2008-06-07
Re: [patch 00/50] 2.6.25.6 -stable review · Marco Berizzi <hidden> · 2008-06-08
Re: [patch 00/50] 2.6.25.6 -stable review · Willy Tarreau <w@1wt.eu> · 2008-06-08
Re: [patch 00/50] 2.6.25.6 -stable review · David Miller <davem@davemloft.net> · 2008-06-08
Re: [patch 00/50] 2.6.25.6 -stable review · Willy Tarreau <w@1wt.eu> · 2008-06-08
Re: [patch 00/50] 2.6.25.6 -stable review · Jay Cliburn <hidden> · 2008-06-08
Re: [patch 00/50] 2.6.25.6 -stable review · Willy Tarreau <w@1wt.eu> · 2008-06-08
Re: [patch 00/50] 2.6.25.6 -stable review · Jeff Garzik <hidden> · 2008-06-08
Re: [patch 00/50] 2.6.25.6 -stable review · David Miller <davem@davemloft.net> · 2008-06-09
Re: 2.6.25 crash: EIP: [<c02e2f14>] xfrm_output_resume+0x64/0x100 ss:esp 0068:c03a1e5c · Marco Berizzi <hidden> · 2008-05-05

From: Marco Berizzi <hidden>
Date: 2008-05-27 09:04:32
Also in: lkml

David Miller wrote:

From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue, 20 May 2008 17:25:11 +0800

quoted

On Wed, May 14, 2008 at 10:19:57AM +0200, Marco Berizzi wrote:

quoted

I hope this helps.

OK found the problem, it was my fault after all :)

Dave, this patch needs to go into stable too.

[IPSEC]: Use the correct ip_local_out function

Because the IPsec output function xfrm_output_resume does its
own dst_output call it should always call __ip_local_output
instead of ip_local_output as the latter may invoke dst_output
directly.  Otherwise the return values from nf_hook and dst_output
may clash as they both use the value 1 but for different purposes.

When that clash occurs this can cause a packet to be used after
it has been freed which usually leads to a crash.  Because the
offending value is only returned from dst_output with qdiscs
such as HTB, this bug is normally not visible.

Thanks to Marco Berizzi for his perseverance in tracking this
down.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Applied and queued to -stable, thanks!

Just a confirmation message that this bug has been fixed
(one week uptime).

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help