linux/net
Herbert Xu 00de651d14 [IPSEC]: Fix strange IPsec freeze.
Problem discovered and initial patch by Olaf Kirch:

	there's a problem with IPsec that has been bugging some of our users
	for the last couple of kernel revs. Every now and then, IPsec will
	freeze the machine completely. This is with openswan user land,
	and with kernels up to and including 2.6.16-rc2.

	I managed to debug this a little, and what happens is that we end
	up looping in xfrm_lookup, and never get out. With a bit of debug
	printks added, I can this happening:

		ip_route_output_flow calls xfrm_lookup

		xfrm_find_bundle returns NULL (apparently we're in the
			middle of negotiating a new SA or something)

		We therefore call xfrm_tmpl_resolve. This returns EAGAIN
			We go to sleep, waiting for a policy update.
			Then we loop back to the top

		Apparently, the dst_orig that was passed into xfrm_lookup
			has been dropped from the routing table (obsolete=2)
			This leads to the endless loop, because we now create
			a new bundle, check the new bundle and find it's stale
			(stale_bundle -> xfrm_bundle_ok -> dst_check() return 0)

	People have been testing with the patch below, which seems to fix the
	problem partially. They still see connection hangs however (things
	only clear up when they start a new ping or new ssh). So the patch
	is obvsiouly not sufficient, and something else seems to go wrong.

	I'm grateful for any hints you may have...

I suggest that we simply bail out always.  If the dst decides to die
on us later on, the packet will be dropped anyway.  So there is no
great urgency to retry here.  Once we have the proper resolution
queueing, we can then do the retry again.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Olaf Kirch <okir@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-02-13 16:01:27 -08:00
..
802 [P8023]: Fix tainting of kernel. 2006-02-13 15:38:42 -08:00
8021q [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
appletalk [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
atm [ATM]: Ratelimit atmsvc failure messages 2006-02-13 15:34:58 -08:00
ax25 [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
bluetooth [Bluetooth] Fix NULL pointer dereferences of the HCI socket 2006-02-13 11:40:03 +01:00
bridge [BRIDGE]: Better fix for netfilter missing symbol has_bridge_parent 2006-02-13 15:43:58 -08:00
core [NETLINK]: illegal use of pid in rtnetlink 2006-02-09 16:43:41 -08:00
dccp [PATCH] remove bogus asm/bug.h includes. 2006-02-07 20:56:35 -05:00
decnet [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
econet [ECONET]: Use macro for spinlock_t definition. 2006-01-04 13:56:08 -08:00
ethernet [NET]: Use newer is_multicast_ether_addr() in some files 2006-01-06 13:05:58 -08:00
ieee80211 [PATCH] Typo corrections for ieee80211 2006-01-30 17:41:36 -05:00
ipv4 [IPV4] ICMP: Invert default for invalid icmp msgs sysctl 2006-02-13 15:36:21 -08:00
ipv6 [IPV6] Don't store dst_entry for RAW socket 2006-02-13 15:56:13 -08:00
ipx [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
irda [IRDA]: out of range array access 2006-02-09 16:59:48 -08:00
key [AF_KEY]: no message type set 2006-01-24 12:57:19 -08:00
lapb [NET]: Kill skb->list 2005-08-29 15:31:14 -07:00
llc [NET]: Add a dev_ioctl() fallback to sock_ioctl() 2006-01-03 14:18:33 -08:00
netfilter [NETFILTER] Fix Kconfig menu level for x_tables 2006-02-13 15:42:48 -08:00
netlink [NETLINK] genetlink: Fix bugs spotted by Andrew Morton. 2006-02-13 15:51:24 -08:00
netrom [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
packet [NET]: Fix some whitespace issues in af_packet.c 2006-01-23 16:28:02 -08:00
rose [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
rxrpc [NET]: "signed long" -> "long" 2006-01-17 13:03:54 -08:00
sched [PKT_SCHED]: Handle SCTP/DCCP in sfq_hash 2006-01-17 13:01:06 -08:00
sctp [SCTP]: Fix 'fast retransmit' to send a TSN only once. 2006-02-02 16:57:31 -08:00
sunrpc SUNRPC: Move upcall out of auth->au_ops->crcreate() 2006-02-01 12:52:25 -05:00
tipc [TIPC] Avoid polluting the global namespace 2006-01-18 00:45:16 +01:00
unix [PATCH] mutex subsystem, semaphore to mutex: VFS, ->i_sem 2006-01-09 15:59:24 -08:00
wanrouter [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
x25 [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
xfrm [IPSEC]: Fix strange IPsec freeze. 2006-02-13 16:01:27 -08:00
compat.c [PATCH] Fix 32bit sendmsg() flaw 2005-09-08 08:14:11 -07:00
Kconfig [NET]: Add CONFIG_NETDEBUG to suppress bad packet messages. 2006-02-02 20:40:09 -08:00
Makefile [TIPC] Initial merge 2006-01-12 14:06:31 -08:00
nonet.c [NET]: Fix sock_init() return value. 2006-01-03 13:11:17 -08:00
socket.c [PATCH] percpu data: only iterate over possible CPUs 2006-02-05 11:06:51 -08:00
sysctl_net.c [NET]: Fix "sysctl_net.c:36: error: 'core_table' undeclared here" 2005-10-03 14:16:34 -07:00
TUNABLE Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00