-----Original Message-----
From: Steffen Klassert [mailto:steffen.klassert@secunet.com]

On Sun, Apr 30, 2017 at 04:34:38PM +0300, ilant@mellanox.com wrote:

quoted

From: Ilan Tayari <redacted>

Both esp_output and esp_xmit take a pointer to the ESP header
and place it in esp_info struct prior to calling esp_output_head.

Inside esp_output_head, the call to esp_output_udp_encap
makes sure to update the pointer if it gets invalid.
However, if esp_output_head itself calls skb_cow_data, the
pointer is not updated and stays invalid, causing a crash
after esp_output_head returns.

Update the pointer if it becomes invalid in esp_output_head

Fixes: fca11ebde3f0 ("esp4: Reorganize esp_output")
Signed-off-by: Ilan Tayari <redacted>
---
 net/ipv4/esp4.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 7f2caf71212b..65cc02bd82bc 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c

@@ -317,6 +317,7 @@ int esp_output_head(struct xfrm_state *x, struct

sk_buff *skb, struct esp_info *

quoted

 	if (nfrags < 0)
 		goto out;
 	tail = skb_tail_pointer(trailer);
+	esp->esph = ip_esp_hdr(skb);

This is not quite right for udpencap. It fixes the crash,
but introduces a bug that we already have in v4.11.

On udpencap the esp header has an offset to skb_transport_header,
the problem was discussed last week here:

https://lkml.org/lkml/2017/4/25/937

I plan to fix this with the patch below:

Subject: [PATCH RFC] esp4: Fix udpencap for local TCP packets.

This patch works for me.
I don't have udp-encap test facilities, though (yet!).

Ilan.