From: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> Date: Wed, 23 Mar 2016 22:39:50 -0600
> A crash is observed when a decrypted packet is processed in receive > path. get_rps_cpus() tries to dereference the skb->dev fields but it > appears that the device is freed from the poison pattern. ... > Following are the sequence of events observed - > > - Encrypted packet in receive path from netdevice is queued > - Encrypted packet queued for decryption (asynchronous) > - Netdevice brought down and freed > - Packet is decrypted and returned through callback in esp_input_done > - Packet is queued again for process in network stack using netif_rx > > Since the device appears to have been freed, the dereference of > skb->dev in get_rps_cpus() leads to an unhandled page fault > exception. > > Fix this by holding on to device reference when queueing packets > asynchronously and releasing the reference on call back return. > > v2: Make the change generic to xfrm as mentioned by Steffen and > update the title to xfrm > > Suggested-by: Herbert Xu <herb...@gondor.apana.org.au> > Signed-off-by: Jerome Stanislaus <jero...@codeaurora.org> > Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> Applied and queued up for -stable, thanks.
