[Openswan Users] openswan 2.6.33 rmmod ipsec cause kernel oops of null pointer

Zhiping Liu flyingzpl at gmail.com
Thu Mar 31 00:17:14 EDT 2011


This patch fixed the problem.
thanks!
2011/3/31 David McCullough <david_mccullough at mcafee.com>

>
> Jivin Zhiping Liu lays it down ...
> > produced by following:
>
> Thanks for that,  we are doing a double ipsec_dev_put which I think is the
> problem.  try the attached patch and see how that goes.
>
> Cheers,
> Davidm
>
> > 1.kernel version: latest stable 2.6.38.1
> >
> > PL-SMS ~ # uname -r
> > 2.6.38.1
> > PL-SMS ~ #
> >
> > 2.ipsec config file:
> >
> > PL-SMS openswan-2.6.33 # cat /etc/ipsec.conf
> > # /etc/ipsec.conf - Openswan IPsec configuration file
> >
> > # This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
> > #
> > # Manual:     ipsec.conf.5
> >
> >
> > version 2.0     # conforms to second version of ipsec.conf specification
> >
> > # basic configuration
> > config setup
> >       # Do not set debug options to debug configuration issues!
> >       # plutodebug / klipsdebug = "all", "none" or a combation from
> below:
> >       # "raw crypt parsing emitting control klips pfkey natt x509 dpd
> private"
> >       # eg:
> >       # plutodebug="control parsing"
> >       #
> >       # enable to get logs per-peer
> >       # plutoopts="--perpeerlog"
> >       #
> >       # Again: only enable plutodebug or klipsdebug when asked by a
> developer
> >       #
> >       # NAT-TRAVERSAL support, see README.NAT-Traversal
> >       nat_traversal=yes
> >       # exclude networks used on server side by adding %v4:!a.b.c.0/24
> >       virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> >       # OE is now off by default. Uncomment and change to on, to enable.
> >       oe=off
> >       # which IPsec stack to use. auto will try netkey, then klips then
> mast
> >       protostack=mast
> >
> >
> > # Add connections here
> >
> > # sample VPN connection
> > # for more examples, see /etc/ipsec.d/examples/
> > #conn sample
> > #      # Left security gateway, subnet behind it, nexthop toward right.
> > #      left=10.0.0.1
> > #      leftsubnet=172.16.0.0/24
> > #      leftnexthop=10.22.33.44
> > #      # Right security gateway, subnet behind it, nexthop toward left.
> > #      right=10.12.12.1
> > #      rightsubnet=192.168.0.0/24
> > #      rightnexthop=10.101.102.103
> > #      # To authorize this connection, but not actually start it,
> > #      # at startup, uncomment this.
> > #      #auto=add
> >
> > PL-SMS openswan-2.6.33 #
> >
> > 3.how to produce kernel oops
> >
> >
> > PL-SMS ~ # modprobe ipsec
> > PL-SMS ~ # rmmod ipsec
> > Killed
> > PL-SMS ~ # lsmod
> > Module                  Size  Used by
> > ipsec                 311608  0
> > PL-SMS ~ #
> >
> > 4.kernel dmesg shows:
> >
> > BUG: unable to handle kernel NULL pointer dereference at   (null)
> > IP: [<f8101a59>] ipsec_mast_cleanup_devices+0x2f/0x4a [ipsec]
> > *pde = 00000000
> > Oops: 0002 [#1]
> > last sysfs file: /sys/devices/virtual/net/ipsec0/address
> > Modules linked in: ipsec(-)
> >
> > Pid: 3387, comm: rmmod Not tainted 2.6.38.1 #5 System manufacturer System
> Product Name/M2A-VM
> > EIP: 0060:[<f8101a59>] EFLAGS: 00010246 CPU: 0
> > EIP is at ipsec_mast_cleanup_devices+0x2f/0x4a [ipsec]
> > EAX: 00000000 EBX: 00000000 ECX: f5b1bef8 EDX: 00000001
> > ESI: 00000000 EDI: 00000880 EBP: f5b1bf2c ESP: f5b1bf28
> >  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> > Process rmmod (pid: 3387, ti=f5b1a000 task=f5f14c80 task.ti=f5b1a000)
> > Stack:
> >  f813aa40 f5b1bf4c f80f4013 f5b1bf54 f5b1bf4c c103aa8b f813aa40 00000000
> >  00000880 f5b1bfac c103a479 65737069 00000063 f5b2edc0 f5b1bf70 c10599db
> >  f5b2edc0 f5eb9380 f5b1bf9c c105a315 ffffffff b77aa000 b77ab000 f5b2ecc4
> > Call Trace:
> >  [<f80f4013>] cleanup_module+0x13/0x12a [ipsec]
> >  [<c103aa8b>] ? __try_stop_module+0xf/0x4c
> >  [<c103a479>] sys_delete_module+0x17c/0x1cf
> >  [<c10599db>] ? remove_vma+0x41/0x47
> >  [<c105a315>] ? do_munmap+0x1de/0x20c
> >  [<c1002710>] sysenter_do_call+0x12/0x26
> > Code: 31 db eb 35 8b 14 9d 60 c0 13 f8 85 d2 74 29 8b 82 d8 01 00 00 ff
> 08 89 d0 e8 c7 57 18 c9 8b 04 9d 60 c0 13 f8 8b 80 d8 01 00 00 <ff> 08 c7 04
> 9d 60 c0 13 f8 00 00 00 00 43 3b 1d e8 8c 13 f8 7e
> > EIP: [<f8101a59>] ipsec_mast_cleanup_devices+0x2f/0x4a [ipsec] SS:ESP
> 0068:f5b1bf28
> > CR2: 0000000000000000
> > ---[ end trace 01ae9d869f653d55 ]---
> > PL-SMS ~ #
> >
> > thanks for you reply!
> >
> > 2011/3/31 David McCullough <david_mccullough at mcafee.com>
> >
> >
> >       Jivin Zhiping Liu lays it down ...
> >
> >       > Hi all:
> >       >
> >       > I don't know if anyone have found out this before,but it's
> obviously a bug in file: linux/net/ipsec/ipsec_mast.c
> >       >
> >       >
> >       > 1085 int
> >       > 1086 ipsec_mast_init_devices(void)
> >       > 1087 {
> >       > 1088         /*
> >       > 1089          * mast0 is used for transport mode stuff, and
> generally is
> >       > 1090          * the default unless the user decides to create
> more.
> >       > 1091          */
> >       > 1092         ipsec_mast_createnum(0);
> >       > 1093
> >       > 1094         return 0;
> >       > 1095 }
> >       >
> >       > line 1092 set mast device num (mastdevices_max) to 0.
> >       >
> >       > if we do a rmmod ipsec now ,in ipsec_mast_cleanup_devices
> >       >
> >       > 1098 int
> >       > 1099 ipsec_mast_cleanup_devices(void)
> >       > 1100 {
> >       > 1101         int error = 0;
> >       > 1102         int i;
> >       > 1103         struct net_device *dev_mast;
> >       > 1104
> >       > 1105         for(i = 0; i <= mastdevices_max; i++) {
> >       > 1106                 if(mastdevices[i]!=NULL) {
> >       > 1107                         dev_mast = mastdevices[i];
> >       > 1108                         //lzp add
> >       > 1109                         if (!dev_mast)
> >       > 1110                                 printk(KERN_WARNING
> "dev_mast null");
> >       > 1111                         ipsec_dev_put(dev_mast);
> >       > 1112                         unregister_netdev(dev_mast);
> >       > 1113 #ifndef alloc_netdev
> >       > 1114                         kfree(dev_mast->priv);
> >       > 1115                         dev_mast->priv=NULL;
> >       > 1116 #endif
> >       > 1117                         ipsec_dev_put(mastdevices[i]);
> >       > 1118                         mastdevices[i]=NULL;
> >       > 1119                 }
> >       > 1120         }
> >       > 1121         return error;
> >       > 1122 }
> >       >
> >       > we will clean up mastdevices[0],which is not initialize yet.
> >
> >
> >       It will be initialised because ipsec_mast_createnum initialises it.
> >
> >       The code at 1106 checks if it's non-NULL before cleaning it up,  so
> this is
> >       safe also as mastdevices will be initialised to all 0's, and we
> always set it
> >       back to NULL when we clean up.
> >
> >
> >       > change to this fix the problem
> >       > 1085 int
> >       > 1086 ipsec_mast_init_devices(void)
> >       > 1087 {
> >       > 1088         /*
> >       > 1089          * mast0 is used for transport mode stuff, and
> generally is
> >       > 1090          * the default unless the user decides to create
> more.
> >       > 1091          */
> >       > 1092         ipsec_mast_createnum(-1);
> >       > 1093
> >       > 1094         return 0;
> >       > 1095 }
> >
> >
> >       This will almost certainly cause a problem as we will index into
> mastdevices
> >       with -1 which is bad.
> >
> >       Do you have a kernel oops that points to a problem here?  That
> might helps
> >       because as it stands I don't see a problem with that particular
> code path,
> >
> >       Cheers,
> >       Davidm
> >
> >
> >       --
> >       David McCullough,      david_mccullough at mcafee.com,  Ph:+61
> 734352815
> >       McAfee - SnapGear      http://www.mcafee.com
> http://www.uCdot.org
> >
> >
> >
> >
> >
> > --
> >
> >
> >
>
> --
> David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org
>



-- 
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110331/060df9d0/attachment.html 


More information about the Users mailing list