[Openswan Users] openswan 2.6.33 rmmod ipsec cause kernel oops of null pointer

David McCullough david_mccullough at mcafee.com
Wed Mar 30 21:05:23 EDT 2011 

Jivin Zhiping Liu lays it down ...
> Hi all:
> 
> I don't know if anyone have found out this before,but it's obviously a bug in file: linux/net/ipsec/ipsec_mast.c 
> 
> 
> 1085 int
> 1086 ipsec_mast_init_devices(void)
> 1087 {
> 1088         /*
> 1089          * mast0 is used for transport mode stuff, and generally is
> 1090          * the default unless the user decides to create more.
> 1091          */
> 1092         ipsec_mast_createnum(0);
> 1093 
> 1094         return 0;
> 1095 }
> 
> line 1092 set mast device num (mastdevices_max) to 0.
> 
> if we do a rmmod ipsec now ,in ipsec_mast_cleanup_devices
> 
> 1098 int
> 1099 ipsec_mast_cleanup_devices(void)
> 1100 {
> 1101         int error = 0;
> 1102         int i;
> 1103         struct net_device *dev_mast;
> 1104 
> 1105         for(i = 0; i <= mastdevices_max; i++) {
> 1106                 if(mastdevices[i]!=NULL) {
> 1107                         dev_mast = mastdevices[i];
> 1108                         //lzp add
> 1109                         if (!dev_mast)
> 1110                                 printk(KERN_WARNING "dev_mast null");
> 1111                         ipsec_dev_put(dev_mast);
> 1112                         unregister_netdev(dev_mast);
> 1113 #ifndef alloc_netdev
> 1114                         kfree(dev_mast->priv);
> 1115                         dev_mast->priv=NULL;
> 1116 #endif
> 1117                         ipsec_dev_put(mastdevices[i]);
> 1118                         mastdevices[i]=NULL;
> 1119                 }
> 1120         }
> 1121         return error;
> 1122 }
> 
> we will clean up mastdevices[0],which is not initialize yet.

It will be initialised because ipsec_mast_createnum initialises it.

The code at 1106 checks if it's non-NULL before cleaning it up,  so this is
safe also as mastdevices will be initialised to all 0's, and we always set it
back to NULL when we clean up.

> change to this fix the problem
> 1085 int
> 1086 ipsec_mast_init_devices(void)
> 1087 {
> 1088         /*
> 1089          * mast0 is used for transport mode stuff, and generally is
> 1090          * the default unless the user decides to create more.
> 1091          */
> 1092         ipsec_mast_createnum(-1);
> 1093 
> 1094         return 0;
> 1095 }

This will almost certainly cause a problem as we will index into mastdevices
with -1 which is bad.

Do you have a kernel oops that points to a problem here?  That might helps
because as it stands I don't see a problem with that particular code path,

Cheers,
Davidm


-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Users mailing list