From patchwork Wed Jan 24 16:00:05 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Github ODP bot <odpbot@yandex.ru>
X-Patchwork-Id: 125679
Delivered-To: patch@linaro.org
Received: by 10.46.66.141 with SMTP id h13csp505039ljf;
 Wed, 24 Jan 2018 08:01:04 -0800 (PST)
X-Google-Smtp-Source: AH8x224Z/ljiGzRoJvny9U53N+9VkGUzuEIkq0Kkm928EHeGmdIeyQPHmls2TrAgviO202S2dcuz
X-Received: by 10.37.22.195 with SMTP id 186mr5652709ybw.300.1516809664305; 
 Wed, 24 Jan 2018 08:01:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516809664; cv=none;
 d=google.com; s=arc-20160816;
 b=sfOrD18X1n+j1Ej5ELLXuZ+CPYzTSNaNV+O8qKOMaZfhRr5MhiosoHSwrvVRoPAATu
 vJaEQsMKt8h95tioJwnNKE1K1Osjf4fVJVAQHYaD3SSZU51SJK9yOOk0bbUnxcOh0KEb
 hf2eP53y/xIbMjU6G6Jj5PsQpqa0JMaJ/uT0igr0baGUw15OT3sHqAdX//qmNfgIatB9
 79CmbEH6LhDHXVeLGoyVXXbwCeqrARYE5sSBWohyzo0crE+B6Bb+uc5qvKv8HDQbgEiM
 HJYie0sGHYI+5eEjtUQe6RvlrsjnXZKJOip8yzZf2IQawW3BPx3XTymgW2bR/TNbkYGZ
 mWcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:subject:github-pr-num
 :references:in-reply-to:message-id:date:to:from:delivered-to
 :arc-authentication-results;
 bh=utuEOADrGUGHTuo+jxuBceB6x0bGi6j9Fh17sF+BgCY=;
 b=DwPAk7CcjFe078xrVs0ncEf2Ft8QaESBKxkYqKvZAKArRqR/HYA701WGNLA+c/Cuc3
 eoS+X0+WQOjkkhu22LH+P1vHoQK3Iz6cHWTExVzqpZr7oxfCqHc0wF4Pq0Q8D0IZt6gf
 CoSoNhTBUk0Cvo5iNUxV585EISjQlgsdaYxIOBNiPibiE99YPNQpmjEQSV9lCehnR+9X
 QKOB7kDTNk3qTcboIn+5/c8ixlCY36hQF+d6HvcKgwaud4gZ6/Dnqxnv7PiJunduY5oe
 lBXKCXtrr7qZLjcDqiU56b58cO2xE2bDoyvlCJy3aI2G/JSgDTJfHMVvt1WV1bVB2G81
 rMrw==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Return-Path: <lng-odp-bounces@lists.linaro.org>
Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com.
 [54.197.127.237])
 by mx.google.com with ESMTP id c78si519331qkj.158.2018.01.24.08.01.04;
 Wed, 24 Jan 2018 08:01:04 -0800 (PST)
Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 client-ip=54.197.127.237; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Received: by lists.linaro.org (Postfix, from userid 109)
 id EA9A361726; Wed, 24 Jan 2018 16:01:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
 RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3,
 RCVD_IN_MSPIKE_WL autolearn=disabled version=3.4.0
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by lists.linaro.org (Postfix) with ESMTP id 896F561760;
 Wed, 24 Jan 2018 16:00:27 +0000 (UTC)
X-Original-To: lng-odp@lists.linaro.org
Delivered-To: lng-odp@lists.linaro.org
Received: by lists.linaro.org (Postfix, from userid 109)
 id 76ED560B04; Wed, 24 Jan 2018 16:00:17 +0000 (UTC)
Received: from forward106j.mail.yandex.net (forward106j.mail.yandex.net
 [5.45.198.249])
 by lists.linaro.org (Postfix) with ESMTPS id 18F056081B
 for <lng-odp@lists.linaro.org>; Wed, 24 Jan 2018 16:00:12 +0000 (UTC)
Received: from mxback1g.mail.yandex.net (mxback1g.mail.yandex.net
 [IPv6:2a02:6b8:0:1472:2741:0:8b7:162])
 by forward106j.mail.yandex.net (Yandex) with ESMTP id 36606180508F
 for <lng-odp@lists.linaro.org>; Wed, 24 Jan 2018 19:00:10 +0300 (MSK)
Received: from smtp1j.mail.yandex.net (smtp1j.mail.yandex.net
 [2a02:6b8:0:801::ab])
 by mxback1g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id
 TpnVOJAdtL-0AMewYvQ; Wed, 24 Jan 2018 19:00:10 +0300
Received: by smtp1j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 Q8SBLojAvI-09sKqS4v; Wed, 24 Jan 2018 19:00:09 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
 (Client certificate not present)
From: Github ODP bot <odpbot@yandex.ru>
To: lng-odp@lists.linaro.org
Date: Wed, 24 Jan 2018 19:00:05 +0300
Message-Id: <1516809608-18061-2-git-send-email-odpbot@yandex.ru>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1516809608-18061-1-git-send-email-odpbot@yandex.ru>
References: <1516809608-18061-1-git-send-email-odpbot@yandex.ru>
Github-pr-num: 427
Subject: [lng-odp] [PATCH v1 1/4] linux-gen: ipsec: disallow using SAs while
 they are being created
X-BeenThere: lng-odp@lists.linaro.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: "The OpenDataPlane \(ODP\) List" <lng-odp.lists.linaro.org>
List-Unsubscribe: <https://lists.linaro.org/mailman/options/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=unsubscribe>
List-Archive: <http://lists.linaro.org/pipermail/lng-odp/>
List-Post: <mailto:lng-odp@lists.linaro.org>
List-Help: <mailto:lng-odp-request@lists.linaro.org?subject=help>
List-Subscribe: <https://lists.linaro.org/mailman/listinfo/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=subscribe>
Errors-To: lng-odp-bounces@lists.linaro.org
Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>

From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

Current code has a race condition between inbound traffic and creation
of new SA. It is possible for inbound traffic to trigger partially
created SA using SA_LOOKUP option (or INLINE mode). Add separate
(RESERVED) stage for SA which is in process of being created.

Fixes: https://bugs.linaro.org/show_bug.cgi?id=3594
Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>
---
/** Email created from pull request 427 (lumag:ipsec-fix-sad)
 ** https://github.com/Linaro/odp/pull/427
 ** Patch: https://github.com/Linaro/odp/pull/427.patch
 ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29
 ** Merge commit sha: 83482dc460d8a076de317029373e2c8bf3178974
 **/
 platform/linux-generic/odp_ipsec_sad.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index 845a73dea..bb984db38 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -17,7 +17,8 @@
 #include <string.h>
 
 #define IPSEC_SA_STATE_DISABLE	0x40000000
-#define IPSEC_SA_STATE_FREE	0xc0000000 /* This includes disable !!! */
+#define IPSEC_SA_STATE_FREE	0xc0000000
+#define IPSEC_SA_STATE_RESERVED	0x80000000
 
 typedef struct ipsec_sa_table_t {
 	ipsec_sa_t ipsec_sa[ODP_CONFIG_IPSEC_SAS];
@@ -108,7 +109,8 @@ static ipsec_sa_t *ipsec_sa_reserve(void)
 
 		ipsec_sa = ipsec_sa_entry(i);
 
-		if (odp_atomic_cas_acq_u32(&ipsec_sa->state, &state, 0))
+		if (odp_atomic_cas_acq_u32(&ipsec_sa->state, &state,
+					   IPSEC_SA_STATE_RESERVED))
 			return ipsec_sa;
 	}
 
@@ -120,6 +122,12 @@ static void ipsec_sa_release(ipsec_sa_t *ipsec_sa)
 	odp_atomic_store_rel_u32(&ipsec_sa->state, IPSEC_SA_STATE_FREE);
 }
 
+/* Mark reserved SA as available now */
+static void ipsec_sa_publish(ipsec_sa_t *ipsec_sa)
+{
+	odp_atomic_store_rel_u32(&ipsec_sa->state, 0);
+}
+
 static int ipsec_sa_lock(ipsec_sa_t *ipsec_sa)
 {
 	int cas = 0;
@@ -128,9 +136,11 @@ static int ipsec_sa_lock(ipsec_sa_t *ipsec_sa)
 	while (0 == cas) {
 		/*
 		 * This can be called from lookup path, so we really need this
-		 * check
+		 * check. Thanks to the way flags are defined we actually test
+		 * that the SA is not DISABLED, FREE or RESERVED using just one
+		 * condition.
 		 */
-		if (state & IPSEC_SA_STATE_DISABLE)
+		if (state & IPSEC_SA_STATE_FREE)
 			return -1;
 
 		cas = odp_atomic_cas_acq_u32(&ipsec_sa->state, &state,
@@ -438,6 +448,8 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
 				      &ses_create_rc))
 		goto error;
 
+	ipsec_sa_publish(ipsec_sa);
+
 	return ipsec_sa->ipsec_sa_hdl;
 
 error:

From patchwork Wed Jan 24 16:00:06 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Github ODP bot <odpbot@yandex.ru>
X-Patchwork-Id: 125680
Delivered-To: patch@linaro.org
Received: by 10.46.66.141 with SMTP id h13csp505762ljf;
 Wed, 24 Jan 2018 08:01:54 -0800 (PST)
X-Google-Smtp-Source: AH8x225l+KT+IVdVGPpHDGAR+DHKvs5r3JR48UUmgja7UVjDZfFWkZjtWHKxyiii5X4tY+F8xIy2
X-Received: by 10.200.14.70 with SMTP id j6mr10648188qti.289.1516809714105; 
 Wed, 24 Jan 2018 08:01:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516809714; cv=none;
 d=google.com; s=arc-20160816;
 b=Gl285+ho15ZuFXch1jnaXF3FQF5UPafxhvMdFFMdtSTGm0vLGQul73wBYs2TUF2rym
 A6me3kv1LKBg2CltfWWXdIqieUt8lGOOkQZ2gVH/0nlryt1oYo34LtWza9MWgPEhSpPs
 wD0mu1PEb0dcMm4rMCmgE6sq3lPC/xO+LFpCxA8jfM6lrC6H4sEKBskbgOtr+2xtYkS2
 Fqk9flV0+LQznQk2V1Q4IIUOkLMDu92o+4jHb56A8RSOu3kzYksZ410907XqU80yYLrA
 4aKhNURc/35sDtxCKyrK3OlalCdELOpyqSjV6DG+DMSQedrnLIKIKcmsdX58cuMdM21r
 ekUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:subject:github-pr-num
 :references:in-reply-to:message-id:date:to:from:delivered-to
 :arc-authentication-results;
 bh=r9wao2uxHQHK8WObae6x6c1c596SfTkCGxpkWqMB4q0=;
 b=T9ELvv6U2ZUtBDs5n0/agV5JBbGnQVYSq+3OBkIjtwEO/AYFozl1TweEkHcjGhCQgE
 Fbaa+mq8B28oXHPTcgLjq0ri1f2X0/s1UguwdUVsAONmExg36iseoueaHLafSUv2ByAS
 4B09JwRaLa5k26nLW/cF+QTvCRcpBj/y0WEdZihyzq8RdaDiY5rjTphdDGDByNCh2rPm
 67qgrYHuyFteaulVsIt/AcXepIW1okoL32cBAVoOIvIWw3P7z1e8qWlrvR/KL5nqZkkc
 553sB3hYoOk5vR//5vFVUtewDsk5T3R51PLp5IGJZ3rlHutsqnOtqyCUTzO+mW3LsCEN
 fG5g==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Return-Path: <lng-odp-bounces@lists.linaro.org>
Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com.
 [54.197.127.237])
 by mx.google.com with ESMTP id c72si474007qkb.394.2018.01.24.08.01.53;
 Wed, 24 Jan 2018 08:01:54 -0800 (PST)
Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 client-ip=54.197.127.237; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Received: by lists.linaro.org (Postfix, from userid 109)
 id ACCBE6179C; Wed, 24 Jan 2018 16:01:53 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
 RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2 autolearn=disabled version=3.4.0
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by lists.linaro.org (Postfix) with ESMTP id E0D24617A5;
 Wed, 24 Jan 2018 16:00:31 +0000 (UTC)
X-Original-To: lng-odp@lists.linaro.org
Delivered-To: lng-odp@lists.linaro.org
Received: by lists.linaro.org (Postfix, from userid 109)
 id DAEA261726; Wed, 24 Jan 2018 16:00:20 +0000 (UTC)
Received: from forward102o.mail.yandex.net (forward102o.mail.yandex.net
 [37.140.190.182])
 by lists.linaro.org (Postfix) with ESMTPS id 81111608A2
 for <lng-odp@lists.linaro.org>; Wed, 24 Jan 2018 16:00:12 +0000 (UTC)
Received: from mxback8o.mail.yandex.net (mxback8o.mail.yandex.net
 [IPv6:2a02:6b8:0:1a2d::22])
 by forward102o.mail.yandex.net (Yandex) with ESMTP id EF57C5A04877
 for <lng-odp@lists.linaro.org>; Wed, 24 Jan 2018 19:00:10 +0300 (MSK)
Received: from smtp1j.mail.yandex.net (smtp1j.mail.yandex.net
 [2a02:6b8:0:801::ab])
 by mxback8o.mail.yandex.net (nwsmtp/Yandex) with ESMTP id
 wjvxyPljrj-0AaqK0Ji; Wed, 24 Jan 2018 19:00:10 +0300
Received: by smtp1j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 Q8SBLojAvI-0AsOdTds; Wed, 24 Jan 2018 19:00:10 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
 (Client certificate not present)
From: Github ODP bot <odpbot@yandex.ru>
To: lng-odp@lists.linaro.org
Date: Wed, 24 Jan 2018 19:00:06 +0300
Message-Id: <1516809608-18061-3-git-send-email-odpbot@yandex.ru>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1516809608-18061-1-git-send-email-odpbot@yandex.ru>
References: <1516809608-18061-1-git-send-email-odpbot@yandex.ru>
Github-pr-num: 427
Subject: [lng-odp] [PATCH v1 2/4] linux-gen: ipsec: fix SA leak in
 odp_ipsec_sa_create
X-BeenThere: lng-odp@lists.linaro.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: "The OpenDataPlane \(ODP\) List" <lng-odp.lists.linaro.org>
List-Unsubscribe: <https://lists.linaro.org/mailman/options/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=unsubscribe>
List-Archive: <http://lists.linaro.org/pipermail/lng-odp/>
List-Post: <mailto:lng-odp@lists.linaro.org>
List-Help: <mailto:lng-odp-request@lists.linaro.org?subject=help>
List-Subscribe: <https://lists.linaro.org/mailman/listinfo/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=subscribe>
Errors-To: lng-odp-bounces@lists.linaro.org
Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>

From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

It is possible to leave SA in reserved state while if antireplay
options are unsupported. Free the SA in this case.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>
---
/** Email created from pull request 427 (lumag:ipsec-fix-sad)
 ** https://github.com/Linaro/odp/pull/427
 ** Patch: https://github.com/Linaro/odp/pull/427.patch
 ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29
 ** Merge commit sha: 83482dc460d8a076de317029373e2c8bf3178974
 **/
 platform/linux-generic/odp_ipsec_sad.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index bb984db38..162626de0 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -289,7 +289,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
 		}
 
 		if (param->inbound.antireplay_ws > IPSEC_ANTIREPLAY_WS)
-			return ODP_IPSEC_SA_INVALID;
+			goto error;
 		ipsec_sa->antireplay = (param->inbound.antireplay_ws != 0);
 		odp_atomic_init_u64(&ipsec_sa->in.antireplay, 0);
 	} else {

From patchwork Wed Jan 24 16:00:07 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Github ODP bot <odpbot@yandex.ru>
X-Patchwork-Id: 125681
Delivered-To: patch@linaro.org
Received: by 10.46.66.141 with SMTP id h13csp506388ljf;
 Wed, 24 Jan 2018 08:02:41 -0800 (PST)
X-Google-Smtp-Source: AH8x226GdP9IP4rElC6ugHXA/9ACCkBEt2P5H5W28nLvhWzki0NRit38gGZjJbGeWGfMqTIOq3S5
X-Received: by 10.55.54.210 with SMTP id d201mr10047956qka.213.1516809761080; 
 Wed, 24 Jan 2018 08:02:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516809761; cv=none;
 d=google.com; s=arc-20160816;
 b=JPaMpEsGHQt9iZLMVKD+ARRGCsyPCIqbpICUfqIOzC6DC4mdptF9gC+HNJM0PQ7WOd
 /w0eU9HR90kdpVBy2TrWyL756SpHG0BeNy6syFvh1oQon+biHs3gEBrowhiOYpXBE3O1
 okSAyfKx5laaXOn/Z7D5LswfpPkQw0gdBO99JKO50iZhBoeWV9KvhggiKUvmbAPe3S9j
 Og2G2ewVaHWNJ5UCe7sXXBeQTZLWkzQpqGMT6fhBm+Ob+yD9Ac7o+PHfnWRCXZZzC+HL
 vG3JYDaKr/rt/3U4kOgC0VlJq5KlCAOkIjrdww2daZ0Jar73qQLRFRFst4Ma8cdSZJZJ
 bH5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:subject:github-pr-num
 :references:in-reply-to:message-id:date:to:from:delivered-to
 :arc-authentication-results;
 bh=idPS6DWAqOSFZfIB17pX7uwJJwSrqso8L3KWGj1XJb8=;
 b=pXEavKPxNLlOOmxfW57R+/e4DubxUbCAjskfRkowAh6yEsZpi17wf0dcr9s6z+2QOd
 UPR8BGor0AC5f2pLI3e5HWlZUVZvzQ8cu3NRxrsanKaGdCLtdlGiOKGGpR3cJdYTePpi
 N8pKcIHnWGV2SRREbH4VUkghJwvEkO0YZndxjTbQ6px+IoKK5KhX3LdNc11pKu583rqq
 vmE5B8scbxkmysuK91BkpuxBBBb9xtZOYRd+PtlpJNrXtFFmRU6pGLwT/gD+iVdHD75s
 XVdJQFCneZtlPZwSsb2c6oMoOKbhRhtmUvKK6TFDT5Z+/0jCr7Hn4yCVNQxpR0CAKPVN
 uG/A==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Return-Path: <lng-odp-bounces@lists.linaro.org>
Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com.
 [54.197.127.237])
 by mx.google.com with ESMTP id 92si522910qky.383.2018.01.24.08.02.40; 
 Wed, 24 Jan 2018 08:02:41 -0800 (PST)
Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 client-ip=54.197.127.237; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Received: by lists.linaro.org (Postfix, from userid 109)
 id B968F617DA; Wed, 24 Jan 2018 16:02:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
 RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2 autolearn=disabled version=3.4.0
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by lists.linaro.org (Postfix) with ESMTP id 2BD54617A3;
 Wed, 24 Jan 2018 16:00:37 +0000 (UTC)
X-Original-To: lng-odp@lists.linaro.org
Delivered-To: lng-odp@lists.linaro.org
Received: by lists.linaro.org (Postfix, from userid 109)
 id 2EBF96156D; Wed, 24 Jan 2018 16:00:21 +0000 (UTC)
Received: from forward100p.mail.yandex.net (forward100p.mail.yandex.net
 [77.88.28.100])
 by lists.linaro.org (Postfix) with ESMTPS id 75088608E6
 for <lng-odp@lists.linaro.org>; Wed, 24 Jan 2018 16:00:13 +0000 (UTC)
Received: from mxback11g.mail.yandex.net (mxback11g.mail.yandex.net
 [IPv6:2a02:6b8:0:1472:2741:0:8b7:90])
 by forward100p.mail.yandex.net (Yandex) with ESMTP id 94B845104E01
 for <lng-odp@lists.linaro.org>; Wed, 24 Jan 2018 19:00:11 +0300 (MSK)
Received: from smtp1j.mail.yandex.net (smtp1j.mail.yandex.net
 [2a02:6b8:0:801::ab])
 by mxback11g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id
 r2HFcKaipx-0BZ4ZwaH; Wed, 24 Jan 2018 19:00:11 +0300
Received: by smtp1j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 Q8SBLojAvI-0BsKTMhr; Wed, 24 Jan 2018 19:00:11 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
 (Client certificate not present)
From: Github ODP bot <odpbot@yandex.ru>
To: lng-odp@lists.linaro.org
Date: Wed, 24 Jan 2018 19:00:07 +0300
Message-Id: <1516809608-18061-4-git-send-email-odpbot@yandex.ru>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1516809608-18061-1-git-send-email-odpbot@yandex.ru>
References: <1516809608-18061-1-git-send-email-odpbot@yandex.ru>
Github-pr-num: 427
Subject: [lng-odp] [PATCH v1 3/4] linux-gen: ipsec: fix SA leak in lookup case
X-BeenThere: lng-odp@lists.linaro.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: "The OpenDataPlane \(ODP\) List" <lng-odp.lists.linaro.org>
List-Unsubscribe: <https://lists.linaro.org/mailman/options/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=unsubscribe>
List-Archive: <http://lists.linaro.org/pipermail/lng-odp/>
List-Post: <mailto:lng-odp@lists.linaro.org>
List-Help: <mailto:lng-odp-request@lists.linaro.org?subject=help>
List-Subscribe: <https://lists.linaro.org/mailman/listinfo/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=subscribe>
Errors-To: lng-odp-bounces@lists.linaro.org
Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>

From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

SA lookup can leave SAs locked if multiple SAs matched the LOOKUP_SPI
case. Follow that case if we have no 'best' option.

Fixes: https://bugs.linaro.org/show_bug.cgi?id=3595
Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>
---
/** Email created from pull request 427 (lumag:ipsec-fix-sad)
 ** https://github.com/Linaro/odp/pull/427
 ** Patch: https://github.com/Linaro/odp/pull/427.patch
 ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29
 ** Merge commit sha: 83482dc460d8a076de317029373e2c8bf3178974
 **/
 platform/linux-generic/odp_ipsec_sad.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index 162626de0..ad229e754 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -575,9 +575,10 @@ ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup)
 			if (NULL != best)
 				_odp_ipsec_sa_unuse(best);
 			return ipsec_sa;
-		} else if (ODP_IPSEC_LOOKUP_SPI == ipsec_sa->in.lookup_mode &&
-				lookup->proto == ipsec_sa->proto &&
-				lookup->spi == ipsec_sa->spi) {
+		} else if (NULL == best &&
+			   ODP_IPSEC_LOOKUP_SPI == ipsec_sa->in.lookup_mode &&
+			   lookup->proto == ipsec_sa->proto &&
+			   lookup->spi == ipsec_sa->spi) {
 			best = ipsec_sa;
 		} else {
 			_odp_ipsec_sa_unuse(ipsec_sa);

From patchwork Wed Jan 24 16:00:08 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Github ODP bot <odpbot@yandex.ru>
X-Patchwork-Id: 125682
Delivered-To: patch@linaro.org
Received: by 10.46.66.141 with SMTP id h13csp506961ljf;
 Wed, 24 Jan 2018 08:03:30 -0800 (PST)
X-Google-Smtp-Source: AH8x225svolQv4gUOzqFhpOb8a3rl1T09kHCs5IBY45nTJZ0XbBtybKmx5LixZiDC57liRwMa/Op
X-Received: by 10.37.217.144 with SMTP id q138mr5905592ybg.519.1516809810668; 
 Wed, 24 Jan 2018 08:03:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516809810; cv=none;
 d=google.com; s=arc-20160816;
 b=vo4k88cKnhXs1pH2BrQjX0eLkrVK3p6iODdjF+uZIdzhYPvU4T1W+Dxqzqtzy7Yr2p
 7Ckepm2tTM21DjzwbGHPLvSQwPt8eVVca3qGD+mh+fdfFYvPoSZ6qWKNk8oJofPk5rpW
 WU7WlfUadYO5RDV+68ct8u394lFZpOg7aBAvhFVsWJo7XdUcebp/r3VFQydZs9i92k01
 lRtPodb75fb8GSrgu3lo0Hin2KQqoqaAA+cJoez4EovTaCsNMMGJXXPThmz9dPPbWF2W
 GofeouFaSR77t9qZLb7PnuaVg26kgaKEP2I9Ah9QhgezZzdZhQgUmWI8JzHjIsjb1Nct
 HAng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:subject:github-pr-num
 :references:in-reply-to:message-id:date:to:from:delivered-to
 :arc-authentication-results;
 bh=RTCmcXs4QmNWwYRQUmnOWK244FegK/LdA/I3aDaRC5w=;
 b=h14EffDccSq4eip+ydXc1+KqTvVCAz4NI4neaVVzSDRXgiK7f6Pn+Vw+QXy6T5pFzj
 tfVh3aOz54AfVgchwUziDlG1XD7jBrqd3xM7meJ3PpNoUbkdnJKwXuD8/AI7swFcQkks
 P9C88SBXfE7O4qhvaTG9nDX+g9L1vzLgRRX0hd0umQxJHMk78CeZ8hsRCQzmbnxYCCx3
 6NhJXsxLPe1S/UgAR0aYfL1NR42wnTbbVmkHa+UJYbSsqUsHcHHBbPwcn+iVj+6uUeOE
 7N5Uxep4VA4TvC6ggfMQWZTD+g3VntH+GaikxWN6qaV6O7l/+a5ZV4su3mGKkEusNfoC
 R29w==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Return-Path: <lng-odp-bounces@lists.linaro.org>
Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com.
 [54.197.127.237])
 by mx.google.com with ESMTP id d77si490040qke.237.2018.01.24.08.03.30;
 Wed, 24 Jan 2018 08:03:30 -0800 (PST)
Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 client-ip=54.197.127.237; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Received: by lists.linaro.org (Postfix, from userid 109)
 id 4F240617E4; Wed, 24 Jan 2018 16:03:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
 RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2 autolearn=disabled version=3.4.0
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by lists.linaro.org (Postfix) with ESMTP id 71607617B3;
 Wed, 24 Jan 2018 16:00:39 +0000 (UTC)
X-Original-To: lng-odp@lists.linaro.org
Delivered-To: lng-odp@lists.linaro.org
Received: by lists.linaro.org (Postfix, from userid 109)
 id 884CC61726; Wed, 24 Jan 2018 16:00:23 +0000 (UTC)
Received: from forward103p.mail.yandex.net (forward103p.mail.yandex.net
 [77.88.28.106])
 by lists.linaro.org (Postfix) with ESMTPS id E345B60903
 for <lng-odp@lists.linaro.org>; Wed, 24 Jan 2018 16:00:13 +0000 (UTC)
Received: from mxback9j.mail.yandex.net (mxback9j.mail.yandex.net
 [IPv6:2a02:6b8:0:1619::112])
 by forward103p.mail.yandex.net (Yandex) with ESMTP id 3BED52182E20
 for <lng-odp@lists.linaro.org>; Wed, 24 Jan 2018 19:00:12 +0300 (MSK)
Received: from smtp1j.mail.yandex.net (smtp1j.mail.yandex.net
 [2a02:6b8:0:801::ab])
 by mxback9j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id
 B1YKpQlPlu-0C1eY8nK; Wed, 24 Jan 2018 19:00:12 +0300
Received: by smtp1j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 Q8SBLojAvI-0BsaY72j; Wed, 24 Jan 2018 19:00:11 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
 (Client certificate not present)
From: Github ODP bot <odpbot@yandex.ru>
To: lng-odp@lists.linaro.org
Date: Wed, 24 Jan 2018 19:00:08 +0300
Message-Id: <1516809608-18061-5-git-send-email-odpbot@yandex.ru>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1516809608-18061-1-git-send-email-odpbot@yandex.ru>
References: <1516809608-18061-1-git-send-email-odpbot@yandex.ru>
Github-pr-num: 427
Subject: [lng-odp] [PATCH v1 4/4] linux-gen: ipsec: prevent sa_lookup from
 matching outbound SAs
X-BeenThere: lng-odp@lists.linaro.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: "The OpenDataPlane \(ODP\) List" <lng-odp.lists.linaro.org>
List-Unsubscribe: <https://lists.linaro.org/mailman/options/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=unsubscribe>
List-Archive: <http://lists.linaro.org/pipermail/lng-odp/>
List-Post: <mailto:lng-odp@lists.linaro.org>
List-Help: <mailto:lng-odp-request@lists.linaro.org?subject=help>
List-Subscribe: <https://lists.linaro.org/mailman/listinfo/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=subscribe>
Errors-To: lng-odp-bounces@lists.linaro.org
Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>

From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

lookup_mode was valid only for inbound SAs but contained garbage for
outbound SAs. Thus it was possible for lookup to match SA with outbound
SA. Prevent that by marking all outbound SAs as
ODP_IPSEC_LOOKUP_DISABLED.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>
---
/** Email created from pull request 427 (lumag:ipsec-fix-sad)
 ** https://github.com/Linaro/odp/pull/427
 ** Patch: https://github.com/Linaro/odp/pull/427.patch
 ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29
 ** Merge commit sha: 83482dc460d8a076de317029373e2c8bf3178974
 **/
 platform/linux-generic/include/odp_ipsec_internal.h |  2 +-
 platform/linux-generic/odp_ipsec_sad.c              | 14 ++++++--------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h
index dbdcbb917..bdb86c400 100644
--- a/platform/linux-generic/include/odp_ipsec_internal.h
+++ b/platform/linux-generic/include/odp_ipsec_internal.h
@@ -122,6 +122,7 @@ struct ipsec_sa_s {
 
 	uint8_t		salt[IPSEC_MAX_SALT_LEN];
 	uint32_t	salt_length;
+	odp_ipsec_lookup_mode_t lookup_mode;
 
 	union {
 		unsigned flags;
@@ -144,7 +145,6 @@ struct ipsec_sa_s {
 
 	union {
 		struct {
-			odp_ipsec_lookup_mode_t lookup_mode;
 			odp_ipsec_ip_version_t lookup_ver;
 			union {
 				odp_u32be_t	lookup_dst_ipv4;
diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index ad229e754..2af72bbb5 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -274,8 +274,8 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
 	ipsec_sa->mode = param->mode;
 	ipsec_sa->flags = 0;
 	if (ODP_IPSEC_DIR_INBOUND == param->dir) {
-		ipsec_sa->in.lookup_mode = param->inbound.lookup_mode;
-		if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->in.lookup_mode) {
+		ipsec_sa->lookup_mode = param->inbound.lookup_mode;
+		if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->lookup_mode) {
 			ipsec_sa->in.lookup_ver =
 				param->inbound.lookup_param.ip_version;
 			if (ODP_IPSEC_IPV4 == ipsec_sa->in.lookup_ver)
@@ -293,6 +293,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
 		ipsec_sa->antireplay = (param->inbound.antireplay_ws != 0);
 		odp_atomic_init_u64(&ipsec_sa->in.antireplay, 0);
 	} else {
+		ipsec_sa->lookup_mode = ODP_IPSEC_LOOKUP_DISABLED;
 		odp_atomic_store_u32(&ipsec_sa->out.seq, 1);
 		ipsec_sa->out.frag_mode = param->outbound.frag_mode;
 		ipsec_sa->out.mtu = param->outbound.mtu;
@@ -552,19 +553,16 @@ int odp_ipsec_sa_mtu_update(odp_ipsec_sa_t sa, uint32_t mtu)
 
 ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup)
 {
-	(void)lookup;
-
 	int i;
-	ipsec_sa_t *ipsec_sa;
 	ipsec_sa_t *best = NULL;
 
 	for (i = 0; i < ODP_CONFIG_IPSEC_SAS; i++) {
-		ipsec_sa = ipsec_sa_entry(i);
+		ipsec_sa_t *ipsec_sa = ipsec_sa_entry(i);
 
 		if (ipsec_sa_lock(ipsec_sa) < 0)
 			continue;
 
-		if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->in.lookup_mode &&
+		if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->lookup_mode &&
 		    lookup->proto == ipsec_sa->proto &&
 		    lookup->spi == ipsec_sa->spi &&
 		    lookup->ver == ipsec_sa->in.lookup_ver &&
@@ -576,7 +574,7 @@ ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup)
 				_odp_ipsec_sa_unuse(best);
 			return ipsec_sa;
 		} else if (NULL == best &&
-			   ODP_IPSEC_LOOKUP_SPI == ipsec_sa->in.lookup_mode &&
+			   ODP_IPSEC_LOOKUP_SPI == ipsec_sa->lookup_mode &&
 			   lookup->proto == ipsec_sa->proto &&
 			   lookup->spi == ipsec_sa->spi) {
 			best = ipsec_sa;