Commit 463ec95a authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'ipsec-2025-01-27' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 

Steffen Klassert says:

====================
pull request (net): ipsec 2025-01-27

1) Fix incrementing the upper 32 bit sequence numbers for GSO skbs.
   From Jianbo Liu.

2) Fix an out-of-bounds read on xfrm state lookup.
   From Florian Westphal.

3) Fix secpath handling on packet offload mode.
   From Alexandre Cassen.

4) Fix the usage of skb->sk in the xfrm layer.

5) Don't disable preemption while looking up cache state
   to fix PREEMPT_RT.
   From Sebastian Sewior.

* tag 'ipsec-2025-01-27' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
  xfrm: Don't disable preemption while looking up cache state.
  xfrm: Fix the usage of skb->sk
  xfrm: delete intermediate secpath entry in packet offload mode
  xfrm: state: fix out-of-bounds read during lookup
  xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO
====================

Link: https://patch.msgid.link/20250127060757.3946314-1-steffen.klassert@secunet.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 0154b949 6c9b7db9

include/net/xfrm.h

+13 −3
Original line number Diff line number Diff line
@@ -1268,9 +1268,19 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir, 


	if (xo) {

		x = xfrm_input_state(skb);

		if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET)

			return (xo->flags & CRYPTO_DONE) &&

		if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET) {

			bool check = (xo->flags & CRYPTO_DONE) &&

				     (xo->status & CRYPTO_SUCCESS);



			/* The packets here are plain ones and secpath was

			 * needed to indicate that hardware already handled

			 * them and there is no need to do nothing in addition.

			 *

			 * Consume secpath which was set by drivers.

			 */

			secpath_reset(skb);

			return check;

		}

	}



	return __xfrm_check_nopolicy(net, skb, dir) ||

net/ipv4/esp4.c

+1 −1
Original line number Diff line number Diff line
@@ -279,7 +279,7 @@ static void esp_output_done(void *data, int err) 
		    x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)

			esp_output_tail_tcp(x, skb);

		else

			xfrm_output_resume(skb->sk, skb, err);

			xfrm_output_resume(skb_to_full_sk(skb), skb, err);

	}

}

net/ipv6/esp6.c

+1 −1
Original line number Diff line number Diff line
@@ -315,7 +315,7 @@ static void esp_output_done(void *data, int err) 
		    x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)

			esp_output_tail_tcp(x, skb);

		else

			xfrm_output_resume(skb->sk, skb, err);

			xfrm_output_resume(skb_to_full_sk(skb), skb, err);

	}

}

net/ipv6/xfrm6_output.c

+2 −2
Original line number Diff line number Diff line
@@ -82,14 +82,14 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb) 


	toobig = skb->len > mtu && !skb_is_gso(skb);



	if (toobig && xfrm6_local_dontfrag(skb->sk)) {

	if (toobig && xfrm6_local_dontfrag(sk)) {

		xfrm6_local_rxpmtu(skb, mtu);

		kfree_skb(skb);

		return -EMSGSIZE;

	} else if (toobig && xfrm6_noneed_fragment(skb)) {

		skb->ignore_df = 1;

		goto skip_frag;

	} else if (!skb->ignore_df && toobig && skb->sk) {

	} else if (!skb->ignore_df && toobig && sk) {

		xfrm_local_error(skb, mtu);

		kfree_skb(skb);

		return -EMSGSIZE;

net/xfrm/xfrm_interface_core.c

+1 −1
Original line number Diff line number Diff line
@@ -506,7 +506,7 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) 
	skb_dst_set(skb, dst);

	skb->dev = tdev;



	err = dst_output(xi->net, skb->sk, skb);

	err = dst_output(xi->net, skb_to_full_sk(skb), skb);

	if (net_xmit_eval(err) == 0) {

		dev_sw_netstats_tx_add(dev, 1, length);

	} else {