[Openswan Users] KLIPS FC3

Jacco de Leeuw jacco2 at dds.nl
Tue Apr 19 01:15:52 CEST 2005

Paul Wouters wrote:

>> I noticed that kernel-2.6.11-1.14_FC3 is out. It seems
>> to be based on with several other Fedora patches.
> No. For one, the ip xfrm state bug is still present in that kernel,
> so i dont think it is based on .7

I don't get it. The SRPM seems to contain

$ rpm -qpl kernel-2.6.11-1.14_FC3.src.rpm  | grep bz2

I downloaded patch- from kernel.org and it is the same.

What xfrm bug are you referring to? I can find only this in the .7 patch
which deals with xfrm state:

diff -Nru a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
--- a/net/xfrm/xfrm_state.c     2005-04-07 11:58:58 -07:00
+++ b/net/xfrm/xfrm_state.c     2005-04-07 11:58:58 -07:00
@@ -609,7 +609,7 @@

         for (i = 0; i < XFRM_DST_HSIZE; i++) {
                 list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
-                       if (x->km.seq == seq) {
+                       if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) {
                                 return x;

Which probably corresponds to this entry in the changelog:

<kaber at trash.net>
	[PATCH] : Do not hold state lock while checking size
	This patch from Herbert Xu fixes a deadlock with IPsec.
	When an ICMP frag. required is sent and the ICMP message
	needs the same SA as the packet that caused it the state
	will be locked twice.
	[IPSEC]: Do not hold state lock while checking size.
	This can elicit ICMP message output and thus result in a
	Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
	Signed-off-by: David S. Miller <davem at davemloft.net>
	Signed-off-by: Chris Wright <chrisw at osdl.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

Which seems to refer to this thread:


Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list