Tomas Charvat tc@excello.cz wrote:
[ CC stable, Steffen ]
Hi Florian and David, I'm running several servers that use XFRM ipsec. It do work well on all kernels bellow 4.14.0.
It doesnt work on 4.14.0-2. There is no any error in dmesg or in userspace when I do configure policies.
Since there is not much info about XFRM in dmesg I have no clue, where to start when I want to debug this issue.
David, please consider picking up 94802151894d482e82c324edf2c658f8e6b96508 ("Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find.")
for the 4.14.y stable queue.
I think its a pretty safe bet that this fixes the problem, it broke transport mode wildcard policy lookup.
I have seen that you have removed flow-cache that we have fixed 2 time. Do you have clue where to start with debug of this issue ?
If the revert doesn't help, please do a bug report to netdev@vger.kernel.org and provide /proc/net/xfrm_stat content and the list of policies/SAs.