Tomas Charvat <tc@xxxxxxxxxx> wrote:
[ CC stable, Steffen ]
> Hi Florian and David, I'm running several servers that use XFRM ipsec.
> It do work well on all kernels bellow 4.14.0.
>
> It doesnt work on 4.14.0-2. There is no any error in dmesg or in
> userspace when I do configure policies.
>
> Since there is not much info about XFRM in dmesg I have no clue, where
> to start when I want to debug this issue.
David, please consider picking up
94802151894d482e82c324edf2c658f8e6b96508
("Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find.")
for the 4.14.y stable queue.
I think its a pretty safe bet that this fixes the problem, it broke
transport mode wildcard policy lookup.
> I have seen that you have removed flow-cache that we have fixed 2 time.
> Do you have clue where to start with debug of this issue ?
If the revert doesn't help, please do a bug report to
netdev@xxxxxxxxxxxxxxx and provide /proc/net/xfrm_stat content
and the list of policies/SAs.