r2936 - in trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian: . patches patches/series

Simon Horman horms@costa.debian.org
Wed, 06 Apr 2005 09:41:43 +0000 

Author: horms
Date: 2005-04-06 09:41:42 +0000 (Wed, 06 Apr 2005)
New Revision: 2936

Added:
   trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/net-ipv4-ipsec-icmp-deadlock.patch
Modified:
   trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog
   trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/series/2.6.11-3
Log:
Fix IPSEC ICMP deadlock

Modified: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog	2005-04-06 08:36:55 UTC (rev 2935)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog	2005-04-06 09:41:42 UTC (rev 2936)
@@ -3,8 +3,11 @@
   * net-ipv4-bic-binary-search.patch:
     Fix BIC congestion avoidance algorithm error
     (Simon Horman)
+  * net-ipv4-ipsec-icmp-deadlock.patch
+    Fix IPSEC ICMP deadlock
+    (Simon Horman)
 
- -- Simon Horman <horms@debian.org>  Wed,  6 Apr 2005 13:13:55 +0900
+ -- Simon Horman <horms@debian.org>  Wed,  6 Apr 2005 18:39:48 +0900
 
 kernel-source-2.6.11 (2.6.11-2) unstable; urgency=low
 

Added: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/net-ipv4-ipsec-icmp-deadlock.patch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/net-ipv4-ipsec-icmp-deadlock.patch	2005-04-06 08:36:55 UTC (rev 2935)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/net-ipv4-ipsec-icmp-deadlock.patch	2005-04-06 09:41:42 UTC (rev 2936)
@@ -0,0 +1,85 @@
+# origin: kraxel@bytesex.org (BitKeeper)
+# cset: 423319b45APysujA6dNnGY0xxK9gJg
+# URL: http://oss.sgi.com/projects/netdev/archive/2005-04/msg00241.html
+# inclusion: proposed for upstream's -stable tree
+# description: [IPSEC]: Do not hold state lock while checking size
+# revision date: Tue, 5 Apr 2005 09:47:27 -0700
+#
+
+#Date: Tue, 5 Apr 2005 09:47:27 -0700
+#From: Greg KH <gregkh@suse.de>
+#To: linux-kernel@vger.kernel.org, stable@kernel.org
+#Cc: kaber@trash.net, davem@davemloft.net, netdev@oss.sgi.com
+#Subject: [05/08] [IPSEC]: Do not hold state lock while checking size
+#
+#-stable review patch.  If anyone has any objections, please let us know.
+#
+#------------------
+#
+#This patch from Herbert Xu fixes a deadlock with IPsec.
+#When an ICMP frag. required is sent and the ICMP message
+#needs the same SA as the packet that caused it the state
+#will be locked twice.
+#
+#[IPSEC]: Do not hold state lock while checking size.
+#
+#This can elicit ICMP message output and thus result in a
+#deadlock.
+#
+#Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+#Signed-off-by: David S. Miller <davem@davemloft.net>
+#Signed-off-by: Chris Wright <chrisw@osdl.org>
+#Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+#
+diff -Nru a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
+--- a/net/ipv4/xfrm4_output.c	2005-03-20 16:53:05 +01:00
++++ b/net/ipv4/xfrm4_output.c	2005-03-20 16:53:05 +01:00
+@@ -103,16 +103,16 @@
+ 			goto error_nolock;
+ 	}
+ 
+-	spin_lock_bh(&x->lock);
+-	err = xfrm_state_check(x, skb);
+-	if (err)
+-		goto error;
+-
+ 	if (x->props.mode) {
+ 		err = xfrm4_tunnel_check_size(skb);
+ 		if (err)
+-			goto error;
++			goto error_nolock;
+ 	}
++
++	spin_lock_bh(&x->lock);
++	err = xfrm_state_check(x, skb);
++	if (err)
++		goto error;
+ 
+ 	xfrm4_encap(skb);
+ 
+diff -Nru a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
+--- a/net/ipv6/xfrm6_output.c	2005-03-20 16:53:05 +01:00
++++ b/net/ipv6/xfrm6_output.c	2005-03-20 16:53:05 +01:00
+@@ -103,16 +103,16 @@
+ 			goto error_nolock;
+ 	}
+ 
+-	spin_lock_bh(&x->lock);
+-	err = xfrm_state_check(x, skb);
+-	if (err)
+-		goto error;
+-
+ 	if (x->props.mode) {
+ 		err = xfrm6_tunnel_check_size(skb);
+ 		if (err)
+-			goto error;
++			goto error_nolock;
+ 	}
++
++	spin_lock_bh(&x->lock);
++	err = xfrm_state_check(x, skb);
++	if (err)
++		goto error;
+ 
+ 	xfrm6_encap(skb);
+ 

Modified: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/series/2.6.11-3
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/series/2.6.11-3	2005-04-06 08:36:55 UTC (rev 2935)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/series/2.6.11-3	2005-04-06 09:41:42 UTC (rev 2936)
@@ -1 +1,2 @@
 + net-ipv4-bic-binary-search.patch
++ net-ipv4-ipsec-icmp-deadlock.patch