Fix IPCOMP crashes.

[XFRM]: Fix crash introduced by struct dst_entry reordering

XFRM expects xfrm_dst->u.next to be same pointer as dst->next, which
was broken by the dst_entry reordering in commit 1e19e02c~, causing
an oops in xfrm_bundle_ok when walking the bundle upwards.

Kill xfrm_dst->u.next and change the only user to use dst->next instead.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 311f25af5e1a7b936a87f8b3a0fd17926688a806..4d56e16653a3c54efa0d43df2798b956fa4413fa 100644 (file)
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -577,7 +577,6 @@ static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ct
 struct xfrm_dst
 {
        union {
-               struct xfrm_dst         *next;
                struct dst_entry        dst;
                struct rtable           rt;
                struct rt6_info         rt6;

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 157bfbd250ba62f2c451805106b25a1f13b581bf..b48f06fc9fd9e25440fc26f392a231156bb28f35 100644 (file)
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2141,7 +2141,7 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
                if (last == first)
                        break;
 
-               last = last->u.next;
+               last = (struct xfrm_dst *)last->u.dst.next;
                last->child_mtu_cached = mtu;
        }