Bug#535571: kernel unaligned access copy_to_user_state with IPSec

To: 535571@bugs.debian.org
Cc: Sebastian <reg9009@yahoo.de>
Subject: Bug#535571: kernel unaligned access copy_to_user_state with IPSec
From: Jonathan Nieder <jrnieder@gmail.com>
Date: Sat, 3 Sep 2011 16:28:11 -0500
Message-id: <[🔎] 20110903212724.GA1589@elie>
Reply-to: Jonathan Nieder <jrnieder@gmail.com>, 535571@bugs.debian.org
In-reply-to: <617125.15750.qm@web28003.mail.ukl.yahoo.com>
References: <20090703104723.18176.33015.reportbug@sunv210-fw2.de.smcc.net> <20100220115122.GA3262@galadriel.inutil.org> <617125.15750.qm@web28003.mail.ukl.yahoo.com>

found 535571 linux-2.6/2.6.32-30
quit

Hi,

ja nein wrote:

> [1046073.600266] Kernel unaligned access at TPC[104ea7fc] copy_to_user_state+0x54/0x9c [xfrm_user]
> [1046073.715755] Kernel unaligned access at TPC[104ea7fc] copy_to_user_state+0x54/0x9c [xfrm_user]
>
> It happens as soon as there's traffic over the tunnel.

I suspect this is still the case in 3.x, too.

Can you use addr2line to find which variable is being accessed to trip
this message?

The problem is (at least I think) just as you mentioned: netlink
attributes are only 4-byte aligned but "struct xfrm_usersa_info" is
8-byte aligned because it contains a struct xfrm_lifetime_cfg.  Though
I don't see why memcpy() would have misbehaved before
v2.6.33-rc3~1^2~10 (sparc: Stop trying to be so fancy and use
__builtin_{memcpy,memset}(), 2009-12-10).

Reply to:

Follow-Ups:
- Processed: Re: kernel unaligned access copy_to_user_state with IPSec
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: Re: workaround
Next by Date: Bug#600204: linux-image-2.6.32-5-amd64: Squeeze ignores Lennys hibernate image
Previous by thread: Processed: Re: workaround
Next by thread: Processed: Re: kernel unaligned access copy_to_user_state with IPSec
Index(es):
- Date
- Thread