Commit f6c7b422 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'ipsec-2023-10-17' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 

Steffen Klassert says:

====================
pull request (net): ipsec 2023-10-17

1) Fix a slab-use-after-free in xfrm_policy_inexact_list_reinsert.
   From Dong Chenchen.

2) Fix data-races in the xfrm interfaces dev->stats fields.
   From Eric Dumazet.

3) Fix a data-race in xfrm_gen_index.
   From Eric Dumazet.

4) Fix an inet6_dev refcount underflow.
   From Zhang Changzhong.

5) Check the return value of pskb_trim in esp_remove_trailer
   for esp4 and esp6. From Ma Ke.

6) Fix a data-race in xfrm_lookup_with_ifid.
   From Eric Dumazet.

* tag 'ipsec-2023-10-17' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
  xfrm: fix a data-race in xfrm_lookup_with_ifid()
  net: ipv4: fix return value check in esp_remove_trailer
  net: ipv6: fix return value check in esp_remove_trailer
  xfrm6: fix inet6_dev refcount underflow problem
  xfrm: fix a data-race in xfrm_gen_index()
  xfrm: interface: use DEV_STATS_INC()
  net: xfrm: skip policies marked as dead while reinserting policies
====================

Link: https://lore.kernel.org/r/20231017083723.1364940-1-steffen.klassert@secunet.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents c53647a5 de5724ca

include/net/netns/xfrm.h

+1 −0
Original line number Diff line number Diff line
@@ -50,6 +50,7 @@ struct netns_xfrm { 
	struct list_head	policy_all;

	struct hlist_head	*policy_byidx;

	unsigned int		policy_idx_hmask;

	unsigned int		idx_generator;

	struct hlist_head	policy_inexact[XFRM_POLICY_MAX];

	struct xfrm_policy_hash	policy_bydst[XFRM_POLICY_MAX];

	unsigned int		policy_count[XFRM_POLICY_MAX * 2];

net/ipv4/esp4.c

+3 −1
Original line number Diff line number Diff line
@@ -732,7 +732,9 @@ static inline int esp_remove_trailer(struct sk_buff *skb) 
		skb->csum = csum_block_sub(skb->csum, csumdiff,

					   skb->len - trimlen);

	}

	pskb_trim(skb, skb->len - trimlen);

	ret = pskb_trim(skb, skb->len - trimlen);

	if (unlikely(ret))

		return ret;



	ret = nexthdr[1];

net/ipv6/esp6.c

+3 −1
Original line number Diff line number Diff line
@@ -770,7 +770,9 @@ static inline int esp_remove_trailer(struct sk_buff *skb) 
		skb->csum = csum_block_sub(skb->csum, csumdiff,

					   skb->len - trimlen);

	}

	pskb_trim(skb, skb->len - trimlen);

	ret = pskb_trim(skb, skb->len - trimlen);

	if (unlikely(ret))

		return ret;



	ret = nexthdr[1];

net/ipv6/xfrm6_policy.c

+2 −2
Original line number Diff line number Diff line
@@ -117,10 +117,10 @@ static void xfrm6_dst_destroy(struct dst_entry *dst) 
{

	struct xfrm_dst *xdst = (struct xfrm_dst *)dst;



	if (likely(xdst->u.rt6.rt6i_idev))

		in6_dev_put(xdst->u.rt6.rt6i_idev);

	dst_destroy_metrics_generic(dst);

	rt6_uncached_list_del(&xdst->u.rt6);

	if (likely(xdst->u.rt6.rt6i_idev))

		in6_dev_put(xdst->u.rt6.rt6i_idev);

	xfrm_dst_destroy(xdst);

}

net/xfrm/xfrm_interface_core.c

+10 −12
Original line number Diff line number Diff line
@@ -380,8 +380,8 @@ static int xfrmi_rcv_cb(struct sk_buff *skb, int err) 
	skb->dev = dev;



	if (err) {

		dev->stats.rx_errors++;

		dev->stats.rx_dropped++;

		DEV_STATS_INC(dev, rx_errors);

		DEV_STATS_INC(dev, rx_dropped);



		return 0;

	}
@@ -426,7 +426,6 @@ static int 
xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)

{

	struct xfrm_if *xi = netdev_priv(dev);

	struct net_device_stats *stats = &xi->dev->stats;

	struct dst_entry *dst = skb_dst(skb);

	unsigned int length = skb->len;

	struct net_device *tdev;
@@ -473,7 +472,7 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) 
	tdev = dst->dev;



	if (tdev == dev) {

		stats->collisions++;

		DEV_STATS_INC(dev, collisions);

		net_warn_ratelimited("%s: Local routing loop detected!\n",

				     dev->name);

		goto tx_err_dst_release;
@@ -512,13 +511,13 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) 
	if (net_xmit_eval(err) == 0) {

		dev_sw_netstats_tx_add(dev, 1, length);

	} else {

		stats->tx_errors++;

		stats->tx_aborted_errors++;

		DEV_STATS_INC(dev, tx_errors);

		DEV_STATS_INC(dev, tx_aborted_errors);

	}



	return 0;

tx_err_link_failure:

	stats->tx_carrier_errors++;

	DEV_STATS_INC(dev, tx_carrier_errors);

	dst_link_failure(skb);

tx_err_dst_release:

	dst_release(dst);
@@ -528,7 +527,6 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) 
static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev)

{

	struct xfrm_if *xi = netdev_priv(dev);

	struct net_device_stats *stats = &xi->dev->stats;

	struct dst_entry *dst = skb_dst(skb);

	struct flowi fl;

	int ret;
@@ -545,7 +543,7 @@ static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev) 
			dst = ip6_route_output(dev_net(dev), NULL, &fl.u.ip6);

			if (dst->error) {

				dst_release(dst);

				stats->tx_carrier_errors++;

				DEV_STATS_INC(dev, tx_carrier_errors);

				goto tx_err;

			}

			skb_dst_set(skb, dst);
@@ -561,7 +559,7 @@ static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev) 
			fl.u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC;

			rt = __ip_route_output_key(dev_net(dev), &fl.u.ip4);

			if (IS_ERR(rt)) {

				stats->tx_carrier_errors++;

				DEV_STATS_INC(dev, tx_carrier_errors);

				goto tx_err;

			}

			skb_dst_set(skb, &rt->dst);
@@ -580,8 +578,8 @@ static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev) 
	return NETDEV_TX_OK;



tx_err:

	stats->tx_errors++;

	stats->tx_dropped++;

	DEV_STATS_INC(dev, tx_errors);

	DEV_STATS_INC(dev, tx_dropped);

	kfree_skb(skb);

	return NETDEV_TX_OK;

}