From patchwork Mon Jan 29 15:00:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 126166 Delivered-To: patch@linaro.org Received: by 10.46.84.92 with SMTP id y28csp2509101ljd; Mon, 29 Jan 2018 07:01:50 -0800 (PST) X-Google-Smtp-Source: AH8x22691VGzC/wf+g2/tCW/1urWjpZYqBlIR30v7mEa/KejZeo2MFvz4fDz2pMDqf5NhJaUoWAk X-Received: by 10.37.185.79 with SMTP id s15mr16555356ybm.348.1517238110757; Mon, 29 Jan 2018 07:01:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517238110; cv=none; d=google.com; s=arc-20160816; b=YfAsmF57/3ZnG3lVCGwfNRPk4HGReHJJtdbRNUh8vmHnrTKMTfVHQrW1dySaBvap5P eDQVnZFwrx7jl8Yq0O/BlJGcq6yeJ73Yx/no8m+sUgpiCYZfVgnK7LttvY/QsxYWJJPa XYOT8iw+OEId6GamecZliyuIDsLZNu3FQCqxAu8rLKDISwpPGP/It8W8Jk6xbY9tyBcN uEQhty9CM0sc34jknHabhgVPQS9J1ht2TbJx9ErUPW1CaJxhLIkuo2j4+E1NASnHbdom LD/Q98YjsGW/jHWh9B0btyrO7Dzuzdkha8blhijM/gEu03Z8nyrKIWuI/4asAobYNH5B vj7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=lNeeTNCtPwcUqiwhcpWhFO5yHpz61+kttXRrf1e+UWg=; b=cPqq3L0z3QjUKZ7Dyrc5FNn+aKzxFtXoKPXEzOrQQncf7cH53bERkgkbTvpnNajvaf ZldGV25wDUKelp7XipLc5Xi3quq+cqs8AmZbqvjQ+hybn4Qgq1eG2N3UXvxZnPkepdCz sO+vDPle+tSstTfOF/0dKRNGwBpzWQ8314IrXl2tkWt6c6sCKpMBCvb8ZkpHjjE7gzHQ LFoRBcnB6uzEumFQ/iAYnDwViw7hSpHgYCdZ/V3PJ4Q8x3m5MzudlfaZMXfJDUL4pbpj R8Uxyz1HMjDOIoQ2jutxtGJ6yTKzSXx/iPRuQfqXwTF/qT2rTD5GhGGpxLhTFYpFrNmQ 1GoA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id q4si191319qkb.218.2018.01.29.07.01.50; Mon, 29 Jan 2018 07:01:50 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id 6371A61758; Mon, 29 Jan 2018 15:01:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 0414360956; Mon, 29 Jan 2018 15:00:38 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id E429160956; Mon, 29 Jan 2018 15:00:25 +0000 (UTC) Received: from forward104p.mail.yandex.net (forward104p.mail.yandex.net [77.88.28.107]) by lists.linaro.org (Postfix) with ESMTPS id 7922460813 for ; Mon, 29 Jan 2018 15:00:19 +0000 (UTC) Received: from mxback6j.mail.yandex.net (mxback6j.mail.yandex.net [IPv6:2a02:6b8:0:1619::10f]) by forward104p.mail.yandex.net (Yandex) with ESMTP id 99A63182833 for ; Mon, 29 Jan 2018 18:00:17 +0300 (MSK) Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [2a02:6b8:0:1a2d::25]) by mxback6j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id vY6OteGIv0-0HRWLOrP; Mon, 29 Jan 2018 18:00:17 +0300 Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id ZIlIkHp1bF-0GUqXsC9; Mon, 29 Jan 2018 18:00:16 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 29 Jan 2018 18:00:10 +0300 Message-Id: <1517238014-22220-2-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> References: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 427 Subject: [lng-odp] [PATCH v2 1/5] linux-gen: ipsec: disallow using SAs while they are being created X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Current code has a race condition between inbound traffic and creation of new SA. It is possible for inbound traffic to trigger partially created SA using SA_LOOKUP option (or INLINE mode). Add separate (RESERVED) stage for SA which is in process of being created. Fixes: https://bugs.linaro.org/show_bug.cgi?id=3594 Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 427 (lumag:ipsec-fix-sad) ** https://github.com/Linaro/odp/pull/427 ** Patch: https://github.com/Linaro/odp/pull/427.patch ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29 ** Merge commit sha: 67c9dbf28c41ea7a53782ba841276b03f154c4ef **/ platform/linux-generic/odp_ipsec_sad.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c index 845a73dea..bb984db38 100644 --- a/platform/linux-generic/odp_ipsec_sad.c +++ b/platform/linux-generic/odp_ipsec_sad.c @@ -17,7 +17,8 @@ #include #define IPSEC_SA_STATE_DISABLE 0x40000000 -#define IPSEC_SA_STATE_FREE 0xc0000000 /* This includes disable !!! */ +#define IPSEC_SA_STATE_FREE 0xc0000000 +#define IPSEC_SA_STATE_RESERVED 0x80000000 typedef struct ipsec_sa_table_t { ipsec_sa_t ipsec_sa[ODP_CONFIG_IPSEC_SAS]; @@ -108,7 +109,8 @@ static ipsec_sa_t *ipsec_sa_reserve(void) ipsec_sa = ipsec_sa_entry(i); - if (odp_atomic_cas_acq_u32(&ipsec_sa->state, &state, 0)) + if (odp_atomic_cas_acq_u32(&ipsec_sa->state, &state, + IPSEC_SA_STATE_RESERVED)) return ipsec_sa; } @@ -120,6 +122,12 @@ static void ipsec_sa_release(ipsec_sa_t *ipsec_sa) odp_atomic_store_rel_u32(&ipsec_sa->state, IPSEC_SA_STATE_FREE); } +/* Mark reserved SA as available now */ +static void ipsec_sa_publish(ipsec_sa_t *ipsec_sa) +{ + odp_atomic_store_rel_u32(&ipsec_sa->state, 0); +} + static int ipsec_sa_lock(ipsec_sa_t *ipsec_sa) { int cas = 0; @@ -128,9 +136,11 @@ static int ipsec_sa_lock(ipsec_sa_t *ipsec_sa) while (0 == cas) { /* * This can be called from lookup path, so we really need this - * check + * check. Thanks to the way flags are defined we actually test + * that the SA is not DISABLED, FREE or RESERVED using just one + * condition. */ - if (state & IPSEC_SA_STATE_DISABLE) + if (state & IPSEC_SA_STATE_FREE) return -1; cas = odp_atomic_cas_acq_u32(&ipsec_sa->state, &state, @@ -438,6 +448,8 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) &ses_create_rc)) goto error; + ipsec_sa_publish(ipsec_sa); + return ipsec_sa->ipsec_sa_hdl; error: From patchwork Mon Jan 29 15:00:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 126170 Delivered-To: patch@linaro.org Received: by 10.46.84.92 with SMTP id y28csp2513484ljd; Mon, 29 Jan 2018 07:06:34 -0800 (PST) X-Google-Smtp-Source: AH8x2246b2rz/GtI3U70bUDSKmmNt9kqmFcEj/wC1F7moCGV01zyqZUddo56WUQAvvqzoXwFIK6b X-Received: by 10.37.191.202 with SMTP id q10mr12181239ybm.63.1517238225592; Mon, 29 Jan 2018 07:03:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517238225; cv=none; d=google.com; s=arc-20160816; b=cb0CWiRzMMdTmZkirgSq80UQ0YCPlYImeCvZyv1/f/KnDGqbRcEGdKz4A797eeWIZt XI6iJjq5b6Nu2xa9jNgTf0MhU0MnRI6kbb3y4lmTPrVo5n0HnGGioEzeA82PIFcYGQp0 jphxAs9hHEABnR5WNoacuwea2BcowhTQmlwLVLviQ+TyW37m2CWW09eZw+IA7t+wyGmw fUFneqsBKIeC6sixcEJHgcKjrnk2DG4wf+QgZ6hrvBZ8bkld99ZUP9pb+90ZqjnU6Eio hNyEIT5/FIj7iIuFhCiZj1C3GSR/N+JnR51mYEL9gnRICmBNFQyjO6cTCOesr2SIAktI YdYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=i+YdgmxE0ws2CTHZs+/Et+Y/G8n5F0QBVgUXZEwasMg=; b=NcQfypDtPOLiFvJ9JY2tt/4SJ/JdAwgiEKsNYmvBIAPKb6DHlDXD5cc18HO2yxb9le lbF95G9TvE/QDfoQtSHJJBgLqNbYQb2/wHhXjbcUnFdfCt9KE1xdduumy7jm/kuaWP5x SDKG5duDW/H2QBcYhizgMPEbsH+gUQQKpGjQh9jNw1aY5hw8qQVobze4Ar9eo1wlxJXv 8b6FvgVSZ4OsUEry0KgM3jBlOdc1bESvTukOnrq5l3fqwUAvOfajS463dqbchVfmmpxD s8/c2s5JxWr1bRV3jp0qmZWzp/5MNtl4tk2sBHM/AmCrYWiMqxQFN4q4HBwGfID36/oT jEVw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id o50si675886qtb.313.2018.01.29.07.03.45; Mon, 29 Jan 2018 07:03:45 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id 3AAA56172B; Mon, 29 Jan 2018 15:03:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2 autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id B0EE161739; Mon, 29 Jan 2018 15:00:46 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 3ACAC60813; Mon, 29 Jan 2018 15:00:29 +0000 (UTC) Received: from forward100p.mail.yandex.net (forward100p.mail.yandex.net [77.88.28.100]) by lists.linaro.org (Postfix) with ESMTPS id 31DBD60834 for ; Mon, 29 Jan 2018 15:00:20 +0000 (UTC) Received: from mxback7g.mail.yandex.net (mxback7g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:168]) by forward100p.mail.yandex.net (Yandex) with ESMTP id 9982D510270A for ; Mon, 29 Jan 2018 18:00:18 +0300 (MSK) Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [2a02:6b8:0:1a2d::25]) by mxback7g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id dkC1FYEfya-0IG4nn8H; Mon, 29 Jan 2018 18:00:18 +0300 Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id ZIlIkHp1bF-0HU4ofco; Mon, 29 Jan 2018 18:00:17 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 29 Jan 2018 18:00:11 +0300 Message-Id: <1517238014-22220-3-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> References: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 427 Subject: [lng-odp] [PATCH v2 2/5] linux-gen: ipsec: fix SA leak in odp_ipsec_sa_create X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov It is possible to leave SA in reserved state while if antireplay options are unsupported. Free the SA in this case. Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 427 (lumag:ipsec-fix-sad) ** https://github.com/Linaro/odp/pull/427 ** Patch: https://github.com/Linaro/odp/pull/427.patch ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29 ** Merge commit sha: 67c9dbf28c41ea7a53782ba841276b03f154c4ef **/ platform/linux-generic/odp_ipsec_sad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c index bb984db38..162626de0 100644 --- a/platform/linux-generic/odp_ipsec_sad.c +++ b/platform/linux-generic/odp_ipsec_sad.c @@ -289,7 +289,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) } if (param->inbound.antireplay_ws > IPSEC_ANTIREPLAY_WS) - return ODP_IPSEC_SA_INVALID; + goto error; ipsec_sa->antireplay = (param->inbound.antireplay_ws != 0); odp_atomic_init_u64(&ipsec_sa->in.antireplay, 0); } else { From patchwork Mon Jan 29 15:00:12 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 126167 Delivered-To: patch@linaro.org Received: by 10.46.84.92 with SMTP id y28csp2509990ljd; Mon, 29 Jan 2018 07:02:43 -0800 (PST) X-Google-Smtp-Source: AH8x226I59Y+Cuikpe+tQNLpP/9w1HaUqkhSPLE/FPbFWbkjsKMXITEnjn0H54CpvNGx0tzbuRuu X-Received: by 10.55.76.133 with SMTP id z127mr35820235qka.318.1517238163678; Mon, 29 Jan 2018 07:02:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517238163; cv=none; d=google.com; s=arc-20160816; b=h15Fjl2b8txviexAlVJt4hCzyMZLVyUwRq9VXCsR4K7FndxSZZBA4I5KZWhYl26OlV ycgi1h5mBXLF5i7AxyI/l78RarbEeDjPXhZ0t0TN8RXD07TsFMm+ZBNzgF2P42hWWHtw bVexZ6ctEdsxrYUETLdw+5rMHy1yrmfECqeB2L8cAGYNjrWAgwST+PHK+Pv0lXbwQeK2 n/Fy3/oVycd3DuNe9cFUP6Z9lybjfGYsfoXDXL892ey3Rf81IgGvNyINlLVd7zE9hIS4 kMspBw/yzG9cCVZPNwzhscvq9lWEGIK1/z8BHoL7P1HMd9KHLIQOyHKyP6QNJeoBC5fo x+vQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=wMtU9fI5fi2iMKUapTIHhuOa5AVxi9DaAN0O37vjUKU=; b=L5q9vtb/GWjuBxZMEvg6f6nThzgEtfJutvFKvVXSH73cGwLi/Xk93RMAXPF19XDzVq grbzRyA9Zyk3gJccJ5bx/Ge1GUqsRdNiPT2jhfB/6v2tzWt0yT7u5AN1aiyQaFdrU3ow tqe5OW4A9IxHsWdhn2v4eiAOz4U+eFaCvY1+gBBNK+HMWwm/TtL50VaHtI9c7MLiR8Zj lKYUot39ciPFIk24kFEEf0ArFKow1mhxTkl46MmKLU6r5PpO9nXqe2lkYMAho7rswUZ+ D/5vR/awejBxfgV9DrHLWWzbKNKuMk4r2FAKJ10wiW4aOZa6h+2MnPNFqqpY4L9FaNIZ gMUw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id i58si5156354qtc.438.2018.01.29.07.02.43; Mon, 29 Jan 2018 07:02:43 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id 4005A61758; Mon, 29 Jan 2018 15:02:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2 autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 602ED6170D; Mon, 29 Jan 2018 15:00:44 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 8D3AA60813; Mon, 29 Jan 2018 15:00:26 +0000 (UTC) Received: from forward102p.mail.yandex.net (forward102p.mail.yandex.net [77.88.28.102]) by lists.linaro.org (Postfix) with ESMTPS id 938A260852 for ; Mon, 29 Jan 2018 15:00:20 +0000 (UTC) Received: from mxback10o.mail.yandex.net (mxback10o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::24]) by forward102p.mail.yandex.net (Yandex) with ESMTP id 1EB534301C85 for ; Mon, 29 Jan 2018 18:00:19 +0300 (MSK) Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [2a02:6b8:0:1a2d::25]) by mxback10o.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 0SsajO8Xv2-0J00hf51; Mon, 29 Jan 2018 18:00:19 +0300 Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id ZIlIkHp1bF-0IUq4gGJ; Mon, 29 Jan 2018 18:00:18 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 29 Jan 2018 18:00:12 +0300 Message-Id: <1517238014-22220-4-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> References: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 427 Subject: [lng-odp] [PATCH v2 3/5] linux-gen: ipsec: fix SA leak in lookup case X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov SA lookup can leave SAs locked if multiple SAs matched the LOOKUP_SPI case. Follow that case if we have no 'best' option. Fixes: https://bugs.linaro.org/show_bug.cgi?id=3595 Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 427 (lumag:ipsec-fix-sad) ** https://github.com/Linaro/odp/pull/427 ** Patch: https://github.com/Linaro/odp/pull/427.patch ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29 ** Merge commit sha: 67c9dbf28c41ea7a53782ba841276b03f154c4ef **/ platform/linux-generic/odp_ipsec_sad.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c index 162626de0..ad229e754 100644 --- a/platform/linux-generic/odp_ipsec_sad.c +++ b/platform/linux-generic/odp_ipsec_sad.c @@ -575,9 +575,10 @@ ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup) if (NULL != best) _odp_ipsec_sa_unuse(best); return ipsec_sa; - } else if (ODP_IPSEC_LOOKUP_SPI == ipsec_sa->in.lookup_mode && - lookup->proto == ipsec_sa->proto && - lookup->spi == ipsec_sa->spi) { + } else if (NULL == best && + ODP_IPSEC_LOOKUP_SPI == ipsec_sa->in.lookup_mode && + lookup->proto == ipsec_sa->proto && + lookup->spi == ipsec_sa->spi) { best = ipsec_sa; } else { _odp_ipsec_sa_unuse(ipsec_sa); From patchwork Mon Jan 29 15:00:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 126168 Delivered-To: patch@linaro.org Received: by 10.46.84.92 with SMTP id y28csp2511771ljd; Mon, 29 Jan 2018 07:04:41 -0800 (PST) X-Google-Smtp-Source: AH8x225gApdTqahgSzQJQ+5tYa/SVW3uxIt/8M+vgfSXjHhVjwAdAPJ+JqHBK0ZDA/0d9/qOqfaN X-Received: by 10.200.3.150 with SMTP id t22mr38416048qtg.19.1517238280906; Mon, 29 Jan 2018 07:04:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517238280; cv=none; d=google.com; s=arc-20160816; b=0HscXauJmDc8fxeX3O6dkRVOCryqxPG+UYrXfpAl5JOwYpWvtNzJoiPiwJVTiv8ukK pYqTFD139u7SVkhaQkQHdJ7ZKCPZS6C8AjliAM+CG0AO5jSAEsaPzmD/mfv6a7O1n95D v+MHu4qBEE22WvAF1/y+X/hvpBzlZ3U84OQPX+AlVrofeBjbXyUPtV7yDauAIQbhYlsr Wno33QsGd39EG4ET4tl34ZJ2IZ5KGmJD8aTHZGbt9lY2H6dAP6HqItBjA5XDj/DLSA1D YTO/d6fLSDNLxNy367G2xAph0rKxY2ZNkGnxUQb0P1xgKLFF+7uhHdMykxJEnaK+sMRG gTbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=i+zyTw8pqVogSepfd9F4BGqNGSQFwYZdJFoa1tx8MtA=; b=Oqeg8K7juOYYYVBuev1qcLgYtQK+dwGDDWXIdsCAPAlm4iAR5R2eSw13Y/+bBpAhxK AgsdF+hdQMKDxqPyC+zat/v9fNyqqeU4w9YYDvcVSYDsXIUUOhdhuChK9irHuBdMhrkG tSgPr0htrkWKHGMVN7yMwl85LKJ1KBPPRHVZBoDGs3uif23oTeerW/kmtJ7z4pLlLk7l rH1o6Kd7uV03UlS9d+jOdibS47ioLvNyaxMFpxDl/xQuKTB/X9jux9VkYERQnoN6+pIx CoR1EixtDxoQvZEikQ1cgRI/3sAi7J+BwKFs11y2u3hnyc5h0mkGMgv/1STlxFWif2vV 2WeQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id 48si7540042qtu.321.2018.01.29.07.04.40; Mon, 29 Jan 2018 07:04:40 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id 90E1561735; Mon, 29 Jan 2018 15:04:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2 autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 1350B61741; Mon, 29 Jan 2018 15:00:49 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 47E6260813; Mon, 29 Jan 2018 15:00:30 +0000 (UTC) Received: from forward100o.mail.yandex.net (forward100o.mail.yandex.net [37.140.190.180]) by lists.linaro.org (Postfix) with ESMTPS id 6353F60855 for ; Mon, 29 Jan 2018 15:00:21 +0000 (UTC) Received: from mxback9g.mail.yandex.net (mxback9g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:170]) by forward100o.mail.yandex.net (Yandex) with ESMTP id CDC8B2A216E7 for ; Mon, 29 Jan 2018 18:00:19 +0300 (MSK) Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [2a02:6b8:0:1a2d::25]) by mxback9g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 2Yb1v53TeZ-0JE8febi; Mon, 29 Jan 2018 18:00:19 +0300 Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id ZIlIkHp1bF-0JUGwlHb; Mon, 29 Jan 2018 18:00:19 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 29 Jan 2018 18:00:13 +0300 Message-Id: <1517238014-22220-5-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> References: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 427 Subject: [lng-odp] [PATCH v2 4/5] linux-gen: ipsec: prevent sa_lookup from matching outbound SAs X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov lookup_mode was valid only for inbound SAs but contained garbage for outbound SAs. Thus it was possible for lookup to match SA with outbound SA. Prevent that by marking all outbound SAs as ODP_IPSEC_LOOKUP_DISABLED. Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 427 (lumag:ipsec-fix-sad) ** https://github.com/Linaro/odp/pull/427 ** Patch: https://github.com/Linaro/odp/pull/427.patch ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29 ** Merge commit sha: 67c9dbf28c41ea7a53782ba841276b03f154c4ef **/ platform/linux-generic/include/odp_ipsec_internal.h | 2 +- platform/linux-generic/odp_ipsec_sad.c | 14 ++++++-------- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h index dbdcbb917..bdb86c400 100644 --- a/platform/linux-generic/include/odp_ipsec_internal.h +++ b/platform/linux-generic/include/odp_ipsec_internal.h @@ -122,6 +122,7 @@ struct ipsec_sa_s { uint8_t salt[IPSEC_MAX_SALT_LEN]; uint32_t salt_length; + odp_ipsec_lookup_mode_t lookup_mode; union { unsigned flags; @@ -144,7 +145,6 @@ struct ipsec_sa_s { union { struct { - odp_ipsec_lookup_mode_t lookup_mode; odp_ipsec_ip_version_t lookup_ver; union { odp_u32be_t lookup_dst_ipv4; diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c index ad229e754..2af72bbb5 100644 --- a/platform/linux-generic/odp_ipsec_sad.c +++ b/platform/linux-generic/odp_ipsec_sad.c @@ -274,8 +274,8 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) ipsec_sa->mode = param->mode; ipsec_sa->flags = 0; if (ODP_IPSEC_DIR_INBOUND == param->dir) { - ipsec_sa->in.lookup_mode = param->inbound.lookup_mode; - if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->in.lookup_mode) { + ipsec_sa->lookup_mode = param->inbound.lookup_mode; + if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->lookup_mode) { ipsec_sa->in.lookup_ver = param->inbound.lookup_param.ip_version; if (ODP_IPSEC_IPV4 == ipsec_sa->in.lookup_ver) @@ -293,6 +293,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) ipsec_sa->antireplay = (param->inbound.antireplay_ws != 0); odp_atomic_init_u64(&ipsec_sa->in.antireplay, 0); } else { + ipsec_sa->lookup_mode = ODP_IPSEC_LOOKUP_DISABLED; odp_atomic_store_u32(&ipsec_sa->out.seq, 1); ipsec_sa->out.frag_mode = param->outbound.frag_mode; ipsec_sa->out.mtu = param->outbound.mtu; @@ -552,19 +553,16 @@ int odp_ipsec_sa_mtu_update(odp_ipsec_sa_t sa, uint32_t mtu) ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup) { - (void)lookup; - int i; - ipsec_sa_t *ipsec_sa; ipsec_sa_t *best = NULL; for (i = 0; i < ODP_CONFIG_IPSEC_SAS; i++) { - ipsec_sa = ipsec_sa_entry(i); + ipsec_sa_t *ipsec_sa = ipsec_sa_entry(i); if (ipsec_sa_lock(ipsec_sa) < 0) continue; - if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->in.lookup_mode && + if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->lookup_mode && lookup->proto == ipsec_sa->proto && lookup->spi == ipsec_sa->spi && lookup->ver == ipsec_sa->in.lookup_ver && @@ -576,7 +574,7 @@ ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup) _odp_ipsec_sa_unuse(best); return ipsec_sa; } else if (NULL == best && - ODP_IPSEC_LOOKUP_SPI == ipsec_sa->in.lookup_mode && + ODP_IPSEC_LOOKUP_SPI == ipsec_sa->lookup_mode && lookup->proto == ipsec_sa->proto && lookup->spi == ipsec_sa->spi) { best = ipsec_sa; From patchwork Mon Jan 29 15:00:14 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 126169 Delivered-To: patch@linaro.org Received: by 10.46.84.92 with SMTP id y28csp2512764ljd; Mon, 29 Jan 2018 07:05:43 -0800 (PST) X-Google-Smtp-Source: AH8x227PvVcCCi8C1AmTXPLMxmnMeVBUKlUa5mT2qbkd8JC6N/X1h8KU1Xhj13nUygcOsWkBAz95 X-Received: by 10.55.82.214 with SMTP id g205mr36127389qkb.349.1517238343454; Mon, 29 Jan 2018 07:05:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517238343; cv=none; d=google.com; s=arc-20160816; b=ZFyxkQJpf3pHDOk4GA53hRGiVaDzHTdKQ0EhVRZxfVhyflgOmJCmZ/zH0yzW+RJq2k mQq/T3DwQyJHe3pSLcniQ3dDpTSAgL2VkTysyyooJpyOrRrAf4Lzug1HpVNF9CbRLUg1 Zc5Uhrakv4azC2Xuug4wdb6qODryKYCpAZyxZMhWqTN1tJZ6ydOMIBloz9Clnn8F2JTp rsr1C/PmoI6PjsGMLJ8q/gHDaI2rkNt8j/KJAPO7PesELzFNLQ0ki6cX4sN/V9SHQ8Cy 4PjiypU7LITgktxG7+VsnY+0c4AM/plOBNEy3wdhpG0Ij7KEEQXphBiqfmHfxLaiOUy3 rTBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=Vfxh74wUNOgdYEwBxdDxWiZc8+DVuVovR3G5l3kgej4=; b=TGsPhI2Pd39AtxmrP7PGG1YfDit8PZwJRiCPakQddIs8cHWVTRBOUmcx7hk75JxRhR eccVUkAB9WMV3sQZxkrE5EcFr0y6lJJFzm2kVuPk2KrmRUN0VNEY628DwSONf6aNTzZI YjJRV2jYRuLQn+ZLEm1f3zJukcNsT3CNt4lcOncKnmH6GEHSOKbCDnzYCuu7J8OzIB47 WGS9Qxfh61Eve3voShhsknZsjB6106+eCHHqNm/hDU6toCv7UfPUGVuisaLbg/8Bq1fr Jv+ucRnXstnM9vmzhvCV0p0FMrLnc0udx7/DHsDchR+hGTzjErZmYcBf+/D9QVQ8FdGL u55w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id g186si2095757qkc.154.2018.01.29.07.05.43; Mon, 29 Jan 2018 07:05:43 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id 251036173F; Mon, 29 Jan 2018 15:05:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2 autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 5A69C61747; Mon, 29 Jan 2018 15:00:54 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 193BB60813; Mon, 29 Jan 2018 15:00:31 +0000 (UTC) Received: from forward102p.mail.yandex.net (forward102p.mail.yandex.net [77.88.28.102]) by lists.linaro.org (Postfix) with ESMTPS id B824D60887 for ; Mon, 29 Jan 2018 15:00:21 +0000 (UTC) Received: from mxback2o.mail.yandex.net (mxback2o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::1c]) by forward102p.mail.yandex.net (Yandex) with ESMTP id 8F44C4302025 for ; Mon, 29 Jan 2018 18:00:20 +0300 (MSK) Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [2a02:6b8:0:1a2d::25]) by mxback2o.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 5x1tvUJX38-0KF0iMkT; Mon, 29 Jan 2018 18:00:20 +0300 Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id ZIlIkHp1bF-0JUGCDaR; Mon, 29 Jan 2018 18:00:19 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 29 Jan 2018 18:00:14 +0300 Message-Id: <1517238014-22220-6-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> References: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 427 Subject: [lng-odp] [PATCH v2 5/5] linux-gen: ipsec: fix SA leak in SA creation X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov odp_ipsec_sa_create can leave SA locked if one asks for ODP_AUTH_AES_GMAC with non-NULL encryption. Unlock SA in error path. Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 427 (lumag:ipsec-fix-sad) ** https://github.com/Linaro/odp/pull/427 ** Patch: https://github.com/Linaro/odp/pull/427.patch ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29 ** Merge commit sha: 67c9dbf28c41ea7a53782ba841276b03f154c4ef **/ platform/linux-generic/odp_ipsec_sad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c index 2af72bbb5..60d9b8fe7 100644 --- a/platform/linux-generic/odp_ipsec_sad.c +++ b/platform/linux-generic/odp_ipsec_sad.c @@ -416,7 +416,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) break; case ODP_AUTH_ALG_AES_GMAC: if (ODP_CIPHER_ALG_NULL != crypto_param.cipher_alg) - return ODP_IPSEC_SA_INVALID; + goto error; ipsec_sa->use_counter_iv = 1; ipsec_sa->esp_iv_len = 8; ipsec_sa->esp_block_len = 16;