Commit 06ccc8ec authored Nov 23, 2022 by Jakub Kicinski

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
ipsec 2022-11-23

1) Fix "disable_policy" on ipv4 early demuxP Packets after
   the initial packet in a flow might be incorectly dropped
   on early demux if there are no matching policies.
   From Eyal Birger.

2) Fix a kernel warning in case XFRM encap type is not
   available. From Eyal Birger.

3) Fix ESN wrap around for GSO to avoid a double usage of a
    sequence number. From Christian Langrock.

4) Fix a send_acquire race with pfkey_register.
   From Herbert Xu.

5) Fix a list corruption panic in __xfrm_state_delete().
   Thomas Jarosch.

6) Fix an unchecked return value in xfrm6_init().
   Chen Zhongjin.

* 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
  xfrm: Fix ignored return value in xfrm6_init()
  xfrm: Fix oops in __xfrm_state_delete()
  af_key: Fix send_acquire race with pfkey_register
  xfrm: replay: Fix ESN wrap around for GSO
  xfrm: lwtunnel: squelch kernel warning in case XFRM encap type is not available
  xfrm: fix "disable_policy" on ipv4 early demux
====================

Link: https://lore.kernel.org/r/20221123093117.434274-1-steffen.klassert@secunet.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parents 0830b1ef 40781bfb

net/core/lwtunnel.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -48,9 +48,11 @@ static const char *lwtunnel_encap_str(enum lwtunnel_encap_types encap_type)
		return "RPL";
		case LWTUNNEL_ENCAP_IOAM6:
		return "IOAM6";
		case LWTUNNEL_ENCAP_XFRM:
		/* module autoload not supported for encap type */
		return NULL;
		case LWTUNNEL_ENCAP_IP6:
		case LWTUNNEL_ENCAP_IP:
		case LWTUNNEL_ENCAP_XFRM:
		case LWTUNNEL_ENCAP_NONE:
		case __LWTUNNEL_ENCAP_MAX:
		/* should not have got here */

net/ipv4/esp4_offload.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -314,6 +314,9 @@ static int esp_xmit(struct xfrm_state x, struct sk_buff skb, netdev_features_
		xo->seq.low += skb_shinfo(skb)->gso_segs;
		}

		if (xo->seq.low < seq)
		xo->seq.hi++;

		esp.seqno = cpu_to_be64(seq + ((u64)xo->seq.hi << 32));

		ip_hdr(skb)->tot_len = htons(skb->len);

net/ipv4/ip_input.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -366,6 +366,11 @@ static int ip_rcv_finish_core(struct net net, struct sock sk,
		iph->tos, dev);
		if (unlikely(err))
		goto drop_error;
		} else {
		struct in_device *in_dev = __in_dev_get_rcu(dev);

		if (in_dev && IN_DEV_ORCONF(in_dev, NOPOLICY))
		IPCB(skb)->flags \|= IPSKB_NOPOLICY;
		}

		#ifdef CONFIG_IP_ROUTE_CLASSID

net/ipv6/esp6_offload.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -346,6 +346,9 @@ static int esp6_xmit(struct xfrm_state x, struct sk_buff skb, netdev_features
		xo->seq.low += skb_shinfo(skb)->gso_segs;
		}

		if (xo->seq.low < seq)
		xo->seq.hi++;

		esp.seqno = cpu_to_be64(xo->seq.low + ((u64)xo->seq.hi << 32));

		len = skb->len - sizeof(struct ipv6hdr);

net/ipv6/xfrm6_policy.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -287,9 +287,13 @@ int __init xfrm6_init(void)
		if (ret)
		goto out_state;

		register_pernet_subsys(&xfrm6_net_ops);
		ret = register_pernet_subsys(&xfrm6_net_ops);
		if (ret)
		goto out_protocol;
		out:
		return ret;
		out_protocol:
		xfrm6_protocol_fini();
		out_state:
		xfrm6_state_fini();
		out_policy: