tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
ipsec 2022-11-23

1) Fix "disable_policy" on ipv4 early demuxP Packets after
the initial packet in a flow might be incorectly dropped
on early demux if there are no matching policies.
From Eyal Birger.

2) Fix a kernel warning in case XFRM encap type is not
available. From Eyal Birger.

3) Fix ESN wrap around for GSO to avoid a double usage of a
sequence number. From Christian Langrock.

4) Fix a send_acquire race with pfkey_register.
From Herbert Xu.

5) Fix a list corruption panic in __xfrm_state_delete().
Thomas Jarosch.

6) Fix an unchecked return value in xfrm6_init().
Chen Zhongjin.

* 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
xfrm: Fix ignored return value in xfrm6_init()
xfrm: Fix oops in __xfrm_state_delete()
af_key: Fix send_acquire race with pfkey_register
xfrm: replay: Fix ESN wrap around for GSO
xfrm: lwtunnel: squelch kernel warning in case XFRM encap type is not available
xfrm: fix "disable_policy" on ipv4 early demux
====================

Link: https://lore.kernel.org/r/20221123093117.434274-1-steffen.klassert@secunet.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 06ccc8ec 0830b1ef

+57 -15
+3 -1
net/core/lwtunnel.c
··· 48 48 return "RPL"; 49 49 case LWTUNNEL_ENCAP_IOAM6: 50 50 return "IOAM6"; 51 + case LWTUNNEL_ENCAP_XFRM: 52 + /* module autoload not supported for encap type */ 53 + return NULL; 51 54 case LWTUNNEL_ENCAP_IP6: 52 55 case LWTUNNEL_ENCAP_IP: 53 - case LWTUNNEL_ENCAP_XFRM: 54 56 case LWTUNNEL_ENCAP_NONE: 55 57 case __LWTUNNEL_ENCAP_MAX: 56 58 /* should not have got here */
+3
net/ipv4/esp4_offload.c
··· 314 314 xo->seq.low += skb_shinfo(skb)->gso_segs; 315 315 } 316 316 317 + if (xo->seq.low < seq) 318 + xo->seq.hi++; 319 + 317 320 esp.seqno = cpu_to_be64(seq + ((u64)xo->seq.hi << 32)); 318 321 319 322 ip_hdr(skb)->tot_len = htons(skb->len);
+5
net/ipv4/ip_input.c
··· 366 366 iph->tos, dev); 367 367 if (unlikely(err)) 368 368 goto drop_error; 369 + } else { 370 + struct in_device *in_dev = __in_dev_get_rcu(dev); 371 + 372 + if (in_dev && IN_DEV_ORCONF(in_dev, NOPOLICY)) 373 + IPCB(skb)->flags |= IPSKB_NOPOLICY; 369 374 } 370 375 371 376 #ifdef CONFIG_IP_ROUTE_CLASSID
+3
net/ipv6/esp6_offload.c
··· 346 346 xo->seq.low += skb_shinfo(skb)->gso_segs; 347 347 } 348 348 349 + if (xo->seq.low < seq) 350 + xo->seq.hi++; 351 + 349 352 esp.seqno = cpu_to_be64(xo->seq.low + ((u64)xo->seq.hi << 32)); 350 353 351 354 len = skb->len - sizeof(struct ipv6hdr);
+5 -1
net/ipv6/xfrm6_policy.c
··· 287 287 if (ret) 288 288 goto out_state; 289 289 290 - register_pernet_subsys(&xfrm6_net_ops); 290 + ret = register_pernet_subsys(&xfrm6_net_ops); 291 + if (ret) 292 + goto out_protocol; 291 293 out: 292 294 return ret; 295 + out_protocol: 296 + xfrm6_protocol_fini(); 293 297 out_state: 294 298 xfrm6_state_fini(); 295 299 out_policy:
+23 -11
net/key/af_key.c
··· 2905 2905 break; 2906 2906 if (!aalg->pfkey_supported) 2907 2907 continue; 2908 - if (aalg_tmpl_set(t, aalg) && aalg->available) 2908 + if (aalg_tmpl_set(t, aalg)) 2909 2909 sz += sizeof(struct sadb_comb); 2910 2910 } 2911 2911 return sz + sizeof(struct sadb_prop); ··· 2923 2923 if (!ealg->pfkey_supported) 2924 2924 continue; 2925 2925 2926 - if (!(ealg_tmpl_set(t, ealg) && ealg->available)) 2926 + if (!(ealg_tmpl_set(t, ealg))) 2927 2927 continue; 2928 2928 2929 2929 for (k = 1; ; k++) { ··· 2934 2934 if (!aalg->pfkey_supported) 2935 2935 continue; 2936 2936 2937 - if (aalg_tmpl_set(t, aalg) && aalg->available) 2937 + if (aalg_tmpl_set(t, aalg)) 2938 2938 sz += sizeof(struct sadb_comb); 2939 2939 } 2940 2940 } 2941 2941 return sz + sizeof(struct sadb_prop); 2942 2942 } 2943 2943 2944 - static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) 2944 + static int dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) 2945 2945 { 2946 2946 struct sadb_prop *p; 2947 + int sz = 0; 2947 2948 int i; 2948 2949 2949 2950 p = skb_put(skb, sizeof(struct sadb_prop)); ··· 2972 2971 c->sadb_comb_soft_addtime = 20*60*60; 2973 2972 c->sadb_comb_hard_usetime = 8*60*60; 2974 2973 c->sadb_comb_soft_usetime = 7*60*60; 2974 + sz += sizeof(*c); 2975 2975 } 2976 2976 } 2977 + 2978 + return sz + sizeof(*p); 2977 2979 } 2978 2980 2979 - static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) 2981 + static int dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) 2980 2982 { 2981 2983 struct sadb_prop *p; 2984 + int sz = 0; 2982 2985 int i, k; 2983 2986 2984 2987 p = skb_put(skb, sizeof(struct sadb_prop)); ··· 3024 3019 c->sadb_comb_soft_addtime = 20*60*60; 3025 3020 c->sadb_comb_hard_usetime = 8*60*60; 3026 3021 c->sadb_comb_soft_usetime = 7*60*60; 3022 + sz += sizeof(*c); 3027 3023 } 3028 3024 } 3025 + 3026 + return sz + sizeof(*p); 3029 3027 } 3030 3028 3031 3029 static int key_notify_policy_expire(struct xfrm_policy *xp, const struct km_event *c) ··· 3158 3150 struct sadb_x_sec_ctx *sec_ctx; 3159 3151 struct xfrm_sec_ctx *xfrm_ctx; 3160 3152 int ctx_size = 0; 3153 + int alg_size = 0; 3161 3154 3162 3155 sockaddr_size = pfkey_sockaddr_size(x->props.family); 3163 3156 if (!sockaddr_size) ··· 3170 3161 sizeof(struct sadb_x_policy); 3171 3162 3172 3163 if (x->id.proto == IPPROTO_AH) 3173 - size += count_ah_combs(t); 3164 + alg_size = count_ah_combs(t); 3174 3165 else if (x->id.proto == IPPROTO_ESP) 3175 - size += count_esp_combs(t); 3166 + alg_size = count_esp_combs(t); 3176 3167 3177 3168 if ((xfrm_ctx = x->security)) { 3178 3169 ctx_size = PFKEY_ALIGN8(xfrm_ctx->ctx_len); 3179 3170 size += sizeof(struct sadb_x_sec_ctx) + ctx_size; 3180 3171 } 3181 3172 3182 - skb = alloc_skb(size + 16, GFP_ATOMIC); 3173 + skb = alloc_skb(size + alg_size + 16, GFP_ATOMIC); 3183 3174 if (skb == NULL) 3184 3175 return -ENOMEM; 3185 3176 ··· 3233 3224 pol->sadb_x_policy_priority = xp->priority; 3234 3225 3235 3226 /* Set sadb_comb's. */ 3227 + alg_size = 0; 3236 3228 if (x->id.proto == IPPROTO_AH) 3237 - dump_ah_combs(skb, t); 3229 + alg_size = dump_ah_combs(skb, t); 3238 3230 else if (x->id.proto == IPPROTO_ESP) 3239 - dump_esp_combs(skb, t); 3231 + alg_size = dump_esp_combs(skb, t); 3232 + 3233 + hdr->sadb_msg_len += alg_size / 8; 3240 3234 3241 3235 /* security context */ 3242 3236 if (xfrm_ctx) { ··· 3394 3382 hdr->sadb_msg_len = size / sizeof(uint64_t); 3395 3383 hdr->sadb_msg_errno = 0; 3396 3384 hdr->sadb_msg_reserved = 0; 3397 - hdr->sadb_msg_seq = x->km.seq = get_acqseq(); 3385 + hdr->sadb_msg_seq = x->km.seq; 3398 3386 hdr->sadb_msg_pid = 0; 3399 3387 3400 3388 /* SA */
+14 -1
net/xfrm/xfrm_device.c
··· 97 97 } 98 98 } 99 99 100 + static inline bool xmit_xfrm_check_overflow(struct sk_buff *skb) 101 + { 102 + struct xfrm_offload *xo = xfrm_offload(skb); 103 + __u32 seq = xo->seq.low; 104 + 105 + seq += skb_shinfo(skb)->gso_segs; 106 + if (unlikely(seq < xo->seq.low)) 107 + return true; 108 + 109 + return false; 110 + } 111 + 100 112 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again) 101 113 { 102 114 int err; ··· 146 134 return skb; 147 135 } 148 136 149 - if (skb_is_gso(skb) && unlikely(x->xso.dev != dev)) { 137 + if (skb_is_gso(skb) && (unlikely(x->xso.dev != dev) || 138 + unlikely(xmit_xfrm_check_overflow(skb)))) { 150 139 struct sk_buff *segs; 151 140 152 141 /* Packet got rerouted, fixup features and segment it. */
+1 -1
net/xfrm/xfrm_replay.c
··· 714 714 oseq += skb_shinfo(skb)->gso_segs; 715 715 } 716 716 717 - if (unlikely(oseq < replay_esn->oseq)) { 717 + if (unlikely(xo->seq.low < replay_esn->oseq)) { 718 718 XFRM_SKB_CB(skb)->seq.output.hi = ++oseq_hi; 719 719 xo->seq.hi = oseq_hi; 720 720 replay_esn->oseq_hi = oseq_hi;