tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ipsec: Use the correct ip_local_out function

Because the IPsec output function xfrm_output_resume does its
own dst_output call it should always call __ip_local_output
instead of ip_local_output as the latter may invoke dst_output
directly. Otherwise the return values from nf_hook and dst_output
may clash as they both use the value 1 but for different purposes.

When that clash occurs this can cause a packet to be used after
it has been freed which usually leads to a crash. Because the
offending value is only returned from dst_output with qdiscs
such as HTB, this bug is normally not visible.

Thanks to Marco Berizzi for his perseverance in tracking this
down.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Herbert Xu and committed by
David S. Miller 1ac06e03 6f704992

+2 -2
unified split
+1 -1
net/ipv4/route.c
··· 160 160 .negative_advice = ipv4_negative_advice, 161 161 .link_failure = ipv4_link_failure, 162 162 .update_pmtu = ip_rt_update_pmtu, 163 - .local_out = ip_local_out, 163 + .local_out = __ip_local_out, 164 164 .entry_size = sizeof(struct rtable), 165 165 .entries = ATOMIC_INIT(0), 166 166 };
+1 -1
net/ipv6/route.c
··· 109 109 .negative_advice = ip6_negative_advice, 110 110 .link_failure = ip6_link_failure, 111 111 .update_pmtu = ip6_rt_update_pmtu, 112 - .local_out = ip6_local_out, 112 + .local_out = __ip6_local_out, 113 113 .entry_size = sizeof(struct rt6_info), 114 114 .entries = ATOMIC_INIT(0), 115 115 };